Disallow an empty host in a CSP host-source directive

Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard. The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ] host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) As you can see, the host-part is NOT optional. BUG=404295 Review URL: https://codereview.chromium.org/470723006 git-svn-id: svn://svn.chromium.org/blink/trunk@180407 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Disallow an empty host in a CSP host-source directive
Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard. The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ] host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) As you can see, the host-part is NOT optional. BUG=404295 Review URL: https://codereview.chromium.org/470723006 git-svn-id: svn://svn.chromium.org/blink/trunk@180407 bbb929c8-8fbe-4397-9dbb-9b2b20218538
56719c46 · rob@robwu.nl · d40ffcf9 · 56719c46 · 56719c46 · 56719c46
Commit 56719c46 authored Aug 16, 2014 by rob@robwu.nl
5 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt
@@ -2,9 +2,7 @@ CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/conten
 CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https:".
-CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src https://".
+None of these scripts should execute.
-None of these scripts should execute even though there are parse errors in the policy.
@@ -22,8 +20,3 @@ PASS
 Frame: '<!--framePath //<!--frame2-->-->'
 --------
 PASS
--------
-Frame: '<!--framePath //<!--frame3-->-->'
--------
-PASS
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-03.html
@@ -7,12 +7,11 @@ var tests = [
    ['yes', 'script-src http:', 'resources/script.js'],
    ['no',  'script-src https:', 'resources/script.js'],
    ['no',  'script-src    https:  ', 'resources/script.js'],
-    ['no',  'script-src    https://', 'resources/script.js']
 ];
 </script>
 </head>
 <body onload="test()">
  <p>
-    None of these scripts should execute even though there are parse errors in the policy.
+    None of these scripts should execute.
  </p>
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07-expected.txt
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/'. It will be ignored.
 CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/".
+CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://'. It will be ignored.
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://".
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http:/127.0.0.1'. It will be ignored.
 CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http:/127.0.0.1".
@@ -63,3 +66,8 @@ PASS
 Frame: '<!--framePath //<!--frame7-->-->'
 --------
 PASS
+--------
+Frame: '<!--framePath //<!--frame8-->-->'
+--------
+PASS
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-07.html
@@ -5,6 +5,7 @@
 <script>
 var tests = [
    ['no', 'script-src http:/', 'resources/script.js'],
+    ['no', 'script-src http://', 'resources/script.js'],
    ['no', 'script-src http:/127.0.0.1', 'resources/script.js'],
    ['no', 'script-src http:///127.0.0.1', 'resources/script.js'],
    ['no', 'script-src http://127.0.0.1:/', 'resources/script.js'],

--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
@@ -212,7 +212,7 @@ bool CSPSourceList::parseSource(const UChar* begin, const UChar* end, String& sc
                || !skipExactly<UChar>(position, end, '/'))
                return false;
            if (position == end)
-                return true;
+                return false;
            beginHost = position;
            skipWhile<UChar, isNotColonOrSlash>(position, end);
        }