Inconsistent support for wildcards in content security policy overrides #163
Labels
inconsistency
Inconsistent behavior across browsers
topic: csp
Related to content security policy enforcement
Comments
|
It seems this was a documentation error on MDN (based on unclear comments in Firefox code). We don't block the wildcard We'll be fixing the wording on MDN, and can mention Safari differences unless they want to align the behavior with Chromium and Firefox. |
|
Safari also intends to align the behavior with Chromium and Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1752309#c8 This issue can therefore be closed. In the future it may make sense to specify the desired behavior of CSP. |
carlosjeurissen
added
the
topic: csp
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This Twitter exchange made me realize that Chrome, Firefox, and Safari do not have a consistent approach to wildcard sources for CSP source values.
As @xeenon noted, MDN's content_security_policy docs state that "All sources must specify a host." As a result,
*is not a valid source value. Both Firefox and Safari support this limitation, but Chrome does not.A material result of this divergence is that extension authors are able to display images on extension pages from arbitrary origins in Chrome by including
img-src *;in their extension's CSP, but they cannot do this in Firefox or Safari. Instead, authors targeting Firefox and safari must either manually specify all known origins in theirimg-srcdirective or use a workarounds like proxying images requests.Public signals from browsers
The text was updated successfully, but these errors were encountered: