CSP 1.1: Adding paths to source expressions.
authorMike West <mkwst@google.com>
Mon, 03 Sep 2012 13:01:51 +0200
changeset 153abb64ba225c4
parent 152 1a86acf8052f
child 154 1594a9ea8cf0
CSP 1.1: Adding paths to source expressions.

In CSP 1.0, source expressions that contained paths (e.g.
'http://example.com/path/to/directory/') matched the grammar for
'ext-host-source', and were treated as though they didn't contain paths when
evaluating whether specific URLs matched. This patch adds explicit support
for paths to CSP 1.1, enabling site authors to specify specific directories on a
host which should be allowed for a given CSP directive.

In this iteration, CSP 1.1 supports paths at directory-level granularity.
'http://example.com/path/to/file.js' is treated as matching the directory
'http://example.com/path/to/file.js/'. Wildcards are unsupported, and the
spec makes no attempt to normalize paths beyond simply decoding percent-encoded
characters. Some of all of these restrictions might change in the future;
consider this as a first pass to spark discussion.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Mon Sep 03 11:21:44 2012 +0200
     1.2 +++ b/csp-specification.dev.html	Mon Sep 03 13:01:51 2012 +0200
     1.3 @@ -456,13 +456,12 @@
     1.4                    / *WSP "'none'" *WSP
     1.5  source-expression = scheme-source / host-source / keyword-source
     1.6  scheme-source     = scheme ":"
     1.7 -host-source       = [ scheme "://" ] host [ port ]
     1.8 -ext-host-source   = host-source "/" *( &lt;VCHAR except ";" and ","&gt; )
     1.9 -                  ; ext-host-source is reserved for future use.
    1.10 +host-source       = [ scheme "://" ] host [ port ] [ path ]
    1.11  keyword-source    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
    1.12 -scheme            = &lt;scheme production from RFC 3986&gt;
    1.13 +scheme            = &lt;scheme production from <a href="http://tools.ietf.org/html/rfc3986#section-3.1">RFC 3986, section 3.1</a>&gt;
    1.14  host              = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
    1.15  host-char         = ALPHA / DIGIT / "-"
    1.16 +path              = &lt;path production from <a href="http://tools.ietf.org/html/rfc3986#section-3.3">RFC 3986, section 3.3</a>&gt;
    1.17  port              = ":" ( 1*DIGIT / "*" )
    1.18  </pre>
    1.19  
    1.20 @@ -513,7 +512,7 @@
    1.21                  </ol>
    1.22                </li>
    1.23                <li>If the source expression matches the grammar for
    1.24 -              <code>host-source</code> or <code>ext-host-source</code>:
    1.25 +              <code>host-source</code>:
    1.26                  <ol>
    1.27                    <li>If the URI does not contain a host, then return <em>does
    1.28                    not match</em>.</li>
    1.29 @@ -522,7 +521,12 @@
    1.30                    <var>uri-port</var> be the scheme, host, and port of the URI,
    1.31                    respectively. If the URI does not have a port, then let
    1.32                    <var>uri-port</var> be the default port for
    1.33 -                  <var>uri-scheme</var>.</li>
    1.34 +                  <var>uri-scheme</var>. Let <var>uri-path</var> be
    1.35 +                  the path of the URI, after
    1.36 +                  <a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
    1.37 +                  percent-encoded characters</a>. If the URI does not have a
    1.38 +                  path, then let <var>uri-path</var> be the U+002F SOLIDUS
    1.39 +                  character (<code>/</code>).</li>
    1.40  
    1.41                    <li>If the source expression has a <code>scheme</code> that is
    1.42                    not a case insensitive match for <var>uri-scheme</var>, then
    1.43 @@ -554,6 +558,22 @@
    1.44                    represent the same number as <var>uri-port</var>, then return
    1.45                    <em>does not match</em>.</li>
    1.46  
    1.47 +                  <li>If the source expression contains a non-empty
    1.48 +                  <code>path</code>, then:
    1.49 +                    <ol>
    1.50 +                      <li>Let <var>decoded-path</var> be the result of
    1.51 +                      <a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
    1.52 +                      <code>path</code>'s percent-encoded characters</a>.</li>
    1.53 +                      <li>If the final character of <var>decoded-path</var> is
    1.54 +                      not the U+002F SOLIDUS character (<code>/</code>), then
    1.55 +                      append the U+002F SOLIDUS character (<code>/</code>) to
    1.56 +                      <var>decoded-path</var>.</li>
    1.57 +                      <li>If <var>decoded-path</var> is not a prefix of
    1.58 +                      <var>uri-path</var>, then return <em>does not
    1.59 +                      match</em>.</li>
    1.60 +                    </ol>
    1.61 +                  </li>
    1.62 +
    1.63                    <li>Otherwise, return <em>does match</em>.</li>
    1.64                  </ol>
    1.65                </li>