Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does a *.example.com for a content security policy header also match example.com?

Say I have this header set on mywebsite.com:

Content-Security-Policy: script-src self https://*.example.com

I know it will allow https://foo.example.com and https://bar.example.com, but will it allow https://example.com alone?

Looking at the spec....

Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on))

...it seems as it should allow plain https://example.com. However, I've found several different sites (site 1, site 2, site 3, site 4) that all say that https://example.com isn't included. Which is it?

like image 263
Anonymous Penguin Avatar asked Jun 30 '17 15:06

Anonymous Penguin


People also ask

What is a Content-Security-Policy header?

Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

Can you have multiple Content-Security-Policy headers?

A server MUST NOT send more than one HTTP header field named Content-Security-Policy with a given resource representation. A server MAY send different Content-Security-Policy header field values with different representations of the same resource or with different resources.

What is default-src in Content-Security-Policy?

The default-src Directive. The default-src Content Security Policy (CSP) directive allows you to specify the default or fallback resources that can be loaded (or fetched) on the page (such as script-src , or style-src , etc.)


2 Answers

*.example.com for a CSP header doesn’t also match example.com, per the current CSP spec.

That text cited from the (old) CSP spec is wrong (now fixed). The other sources cited are right.


But that https://www.w3.org/TR/CSP/#source-expression section cited, which defines what a CSP source expression is, isn’t actually stating the relevant normative requirements.

Instead the section of the CSP spec that does actually normatively define the relevant requirements is the Does url match expression in origin with redirect count algorithm, in a substep at https://www.w3.org/TR/CSP/#ref-for-grammardef-host-part-2 which reads:

  1. If the first character of expression’s host-part is an U+002A ASTERISK character (*):

  2. Let remaining be the result of removing the leading "*" from expression.

  3. If remaining (including the leading U+002E FULL STOP character (.)) is not an ASCII case-insensitive match for the rightmost characters of url’s host, then return "Does Not Match".

The including the leading U+002E FULL STOP character (.) part of the requirement indicates the remaining part after the asterisk is removed includes the leading full stop, and so the rightmost characters of url’s host must also start with a dot in order to match that.

In other words, if you start with *.example.com and walk through that part of the algorithm, you start by removing the * to get .example.com as the remaining part, and then you match the rightmost characters of url's host against that, including the leading full stop.

So https://foo.example.com matches, because the rightmost characters of its host part match .example.com, but https://example.com doesn’t match, because the rightmost characters of its host part don’t match .example.com (because it lacks the included full stop).


2017-10-13 update

A while back I reported the problem with the CSP spec and it’s now been fixed.

The relevant part of the CSP spec now reads:

Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))

Notice that the part which had read “matches any resource on the host or any of its subdomains” now just reads “matches any resource on the host’s subdomains”.

like image 110
sideshowbarker Avatar answered Oct 04 '22 02:10

sideshowbarker


According to Mozilla's docs you should include 'self' as well as *.example.com in the CSP header if you want to include the base domain.

like image 42
AJD- Avatar answered Oct 04 '22 02:10

AJD-