Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CSP] test that quote characters other than U+0027 APOSTROPHE don't work #23561

Closed
wants to merge 1 commit into from
Closed

[CSP] test that quote characters other than U+0027 APOSTROPHE don't work #23561

wants to merge 1 commit into from

Conversation

foolip
Copy link
Member

@foolip foolip commented May 13, 2020

@wpt-pr-bot wpt-pr-bot temporarily deployed to wpt-preview-23561 May 13, 2020 09:57 Inactive
@foolip foolip mentioned this pull request May 13, 2020
Open
mikewest
mikewest reviewed May 13, 2020
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ArthurSonzogni to weigh in on whether we can reasonably change Chromium's behavior.

content-security-policy/generic/quote-characters.html
var tests = [
{ "csp": "img-src 'none';", "expected": false, "name": "precondition: single quotes are accepted" },
// See https://github.com/w3c/webappsec-csp/issues/434 for background on what is tested.
{ "csp": 'img-src "none";', "expected": true, "name": "double quotes should not be accepted" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Chromium, this treats the source "none" as an unknown source, leaving us with img-src, which is an empty list, which is the same as 'none'.

content-security-policy/generic/quote-characters.html
{ "csp": "img-src \u0091none'", "expected": true, "name": "U+0091 + single quote should not be accepted" },
{ "csp": "img-src 'none\u0092", "expected": true, "name": "single quote + U+0092 should not be accepted" },
{ "csp": "img-src \u0091none\u0092", "expected": true, "name": "U+0091 + U+0092 should not be accepted" },
{ "csp": "img-src \u2018none\u2019;", "expected": true, "name": "U+2018 + U+2019 should not be accepted" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Chromium, these four all end up as parse failures for the directive, as it contains characters that can't exist in a directive. In this case, we punt the directive entirely. We should probably have the same behavior here that we have for "none" above: treat the policy as containing an img-src directive with no valid entries, which is equivalent to 'none'.

@foolip foolip force-pushed the foolip/csp-quotes branch from 66787a7 to 707e848 Compare May 14, 2020 09:10
@ArthurSonzogni
Copy link
Member

I checked the sources. Chrome consider all those "sources" to be invalid. They are ignored. As a result the source list is empty and behave as "img-src 'none'".
A console error message is emitted to warn the developers.

I consider this behavior to be okay. I recognize that this is a bit confusing when the invalid source is "none".

What would be the new behavior? To drop the directive entirely? (we currently only drop the invalid source)

@foolip
Copy link
Member Author

foolip commented Mar 21, 2023

Abandoning before the 3 year anniversary of this PR, I'm realistically not going to come back to it.

@foolip foolip closed this Mar 21, 2023
@foolip foolip deleted the foolip/csp-quotes branch March 21, 2023 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikewest mikewest mikewest left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@foolip @ArthurSonzogni @mikewest @wpt-pr-bot