Fix 36168: document secure upgrades for source expressions #36198
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Content:HTTP
|
Preview URLs
(comment last updated: 2024-10-05 04:48:37) |
wbamberg
commented
Oct 5, 2024
files/en-us/web/http/headers/content-security-policy/sources/index.md
Outdated
Show resolved
Hide resolved
hamishwillee
reviewed
Oct 7, 2024
Comment on lines
-21
to
-22
| > **Note:** `connect-src 'self'` does not resolve to websocket | ||
| > schemes in all browsers, more info in this [issue](https://github.com/w3c/webappsec-csp/issues/7). |
There was a problem hiding this comment.
- Removing this makes sense - even if it were still correct I don't think it really gives a helpful or sufficient flavour for the problem/solution.
- I think your interpretation of what this was really about is correct (i.e. transparent upgrades of protocol levels). That is already captured in the sources docs, so we don't need more detail here.
- But this might require a BCD entry.
hamishwillee
reviewed
Oct 7, 2024
Comment on lines
+20
to
+21
| - `'self'` means the resource can be loaded from the same origin as the document. | ||
| - `example.org` means the resource can be loaded from the `example.org` domain. |
There was a problem hiding this comment.
We have a specific resource type in the example, so we should possibly indicate "images". I only comment because when I read this as "the resource" it irritated me that this is actually restriction "all images", not just a singular.
Suggested change
| - `'self'` means the resource can be loaded from the same origin as the document. | |
| - `example.org` means the resource can be loaded from the `example.org` domain. | |
| - `'self'` means that the resource type, in this case images, can be loaded from the same origin as the document. | |
| - `example.org` means that the resource type can be loaded from the `example.org` domain. |
hamishwillee
reviewed
Oct 7, 2024
| For example, the following fetch directive, [`img-src`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src), contains two source expressions, `'self'` and `example.org`: | ||
|
|
||
| ```plain | ||
| img-src 'self' example.org |
There was a problem hiding this comment.
Can/should we make this the full header and directive with the HTTP header (and http for the block name)? At least here in the very first example?
Suggested change
| img-src 'self' example.org | |
| Content-Security-Policty: img-src 'self' example.org |
hamishwillee
reviewed
Oct 7, 2024
| You can also specify data schemes (not recommended). | ||
| - : A scheme such as `http:` or `https:`. The colon is required. | ||
|
|
||
| Secure upgrades are allowed, so `http:` will also match resources loaded using HTTPS, and `ws:` will also match resources loaded using WSS. | ||
|
|
||
| - `data:` Allows [`data:` URLs](/en-US/docs/Web/URI/Schemes/data) to be used as a content source. |
There was a problem hiding this comment.
Should ws be in this list?
hamishwillee
reviewed
Oct 7, 2024
| - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. | ||
| You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. | ||
| Sites needing to allow these content types can specify them using the Data attribute. | ||
|
|
||
| Note that `https:` and `wss:` schemes are automatically matched even if the document's origin does not match that scheme, so for example: |
There was a problem hiding this comment.
This is good. I assume the reverse is not true - i.e. wss does not match ws? Should we say that?
|
Closing in favour of #36792. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #36168, and partly addresses #35947 (review).
This PR adds a gentler intro to the sources page, adding context and an example, to help address part of #35947 (review)..
It also describes the upgrade/don't trap people in HTTP changes added in w3c/webappsec-csp@0e81d81, that were partly documented before, to fix #36168, and removes the note in the connect-src page that is I think out of date .
I also moved the note about protocol upgrades that was added to scheme-source in #21015 - I believe this was a mistake and the correct fix was to add it to host-source, as #3899 tried to do.
But as usual I'd welcome careful review of all this!