Allow upgrades from explicitly insecure expressions

mikewest · mikewest · commit 0e81d81b64c4 · 2015-10-28T03:26:02.000+01:00
CSP2 allows developers to shoot themselves in the foot by locking themselves into insecure requests via source expressions like `'self'`, `http:` or `http://example.com`. This patch loosens the matching rules for these insecure schemes to include their secure variants. That is, `http:` is not equivalent to `http: https:`, and `ws:` to `ws: wss:`. Likewise, handling for `'self'` now includes `https:` and `wss:` on the protected resource's host. Fixes w3c/webappsec#25. Fixes w3c/webappsec#7.
diff --git a/index.html b/index.html
@@ -1001,7 +1001,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="http://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home" width="72"> </a> </p>
    <h1 class="p-name no-ref" id="title">Content Security Policy Level 3</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2015-10-21">21 October 2015</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2015-10-28">28 October 2015</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -2429,34 +2429,46 @@ <h5 class="heading settled" data-algorithm="Does url match expression in origin
      <li data-md="">
       <p>If <var>expression</var> is the string "*", and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is not a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a>, return "<code>Matches</code>".</p>
      <li data-md="">
-      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source"><code>scheme-source</code></a> grammar:</p>
+      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source"><code>scheme-source</code></a> or <a data-link-type="grammar" href="#grammardef-host-source"><code>host-source</code></a> grammar:</p>
       <ol>
        <li data-md="">
-        <p>If <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for <var>expression</var>'s <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a>, return "<code>Matches</code>".</p>
+        <p>If <var>expression</var> has a <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> that is not an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>, then
+  return "<code>Does Not Match</code>" unless one of the following conditions is
+  met:</p>
+        <ol>
+         <li data-md="">
+          <p><var>expression</var>'s <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
+  case-insensitive match</a> for "<code>http</code>" and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>"</p>
+         <li data-md="">
+          <p><var>expression</var>'s <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
+  case-insensitive match</a> for "<code>ws</code>" and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>wss</code>"</p>
+        </ol>
        <li data-md="">
-        <p>Return "<code>Does Not Match</code>".</p>
+        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source"><code>scheme-source</code></a> grammar,
+  return "<code>Matches</code>".</p>
       </ol>
+      <p class="note" role="note">Note: This logic effectively means that <code>script-src http:</code> is
+  equivalent to <code>script-src http: https:</code>, and <code>script-src http://example.com/</code> is equivalent to <code>script-src http://example.com https://example.com</code>. In short, we always allow a
+  secure upgrade from an explicitly insecure expression.</p>
      <li data-md="">
       <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-host-source"><code>host-source</code></a> grammar:</p>
       <ol>
        <li data-md="">
         <p>If <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code> is <code>null</code>, return "<code>Does Not Match</code>".</p>
-       <li data-md="">
-        <p>If <var>expression</var> has a <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> that is not an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>, return
-  "<code>Does Not Match</code>".</p>
        <li data-md="">
         <p>If <var>expression</var> does not have a <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a>, then
   return "<code>Does Not Match</code>" unless one of the following conditions is
   met:</p>
         <ol>
          <li data-md="">
-          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
-  match</a> for "<code>HTTP</code>", and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
-  case-insensitive match</a> for either "<code>HTTP</code>" or "<code>HTTPS</code>".</p>
+          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code></p>
+         <li data-md="">
+          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>http</code>", and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> one of "<code>https</code>", "<code>ws</code>", or "<code>wss</code>".</p>
          <li data-md="">
-          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
-  match</a> for <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>.</p>
+          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>", and <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>wss</code>".</p>
         </ol>
+        <p class="note" role="note">Note: As with <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> above, we allow schemeless <a data-link-type="grammar" href="#grammardef-host-source"><code>host-source</code></a> expressions to be upgraded from insecure
+  schemes to secure schemes.</p>
        <li data-md="">
         <p>If the first character of <var>expression</var>'s <a data-link-type="grammar" href="#grammardef-host-part"><code>host-part</code></a> is an U+002A ASTERISK character (<code>*</code>):</p>
         <ol>
@@ -2520,7 +2532,27 @@ <h5 class="heading settled" data-algorithm="Does url match expression in origin
       </ol>
      <li data-md="">
       <p>If <var>expression</var> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for "<code>'self'</code>",
-  and <var>origin</var> is the same as <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-origin">origin</a></code>, return "<code>Matches</code>".</p>
+  return "<code>Matches</code>" if one or more of the following conditions is met:</p>
+      <ol>
+       <li data-md="">
+        <p><var>origin</var> is the same as <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-origin">origin</a></code></p>
+       <li data-md="">
+        <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code> is the same as <var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code>, <var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-port">port</a></code> and <var>url</var>'s {{URL/port} are either the same
+  or the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port">default ports</a> for their respective <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>s, and
+  one or more of the following conditions is met:</p>
+        <ol>
+         <li data-md="">
+          <p><var>url</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>" or "<code>wss</code>"</p>
+         <li data-md="">
+          <p><var>origin</var>'s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>http</code>"</p>
+        </ol>
+      </ol>
+      <p class="note" role="note">Note: Like the <a data-link-type="grammar" href="#grammardef-scheme-part"><code>scheme-part</code></a> logic above, the "<code>'self'</code>"
+  matching algorithm allows upgrades to secure schemes when it is safe to do
+  so. We limit these upgrades to endpoints running on the default port for a
+  particular scheme or a port that matches the origin of the protected
+  resource, as this seems sufficient to deal with upgrades that can be
+  reasonably expected to succeed.</p>
      <li data-md="">
       <p>Return "<code>Does Not Match</code>".</p>
     </ol>
diff --git a/index.src.html b/index.src.html
@@ -1762,31 +1762,50 @@ <h5 id="match-url-to-source-expression" algorithm>
   1.  If |expression| is the string "*", and |url|'s {{URL/scheme}} is not a
       <a>local scheme</a>, return "`Matches`".
 
-  2.  If |expression| matches the <a grammar>`scheme-source`</a> grammar:
+  2.  If |expression| matches the <a grammar>`scheme-source`</a> or
+      <a grammar>`host-source`</a> grammar:
 
-      1.  If |url|'s {{URL/scheme}} is an <a>ASCII case-insensitive match</a>
-          for |expression|'s <a grammar>`scheme-part`</a>, return "`Matches`".
+      1.  If |expression| has a <a grammar>`scheme-part`</a> that is not an
+          <a>ASCII case-insensitive match</a> for |url|'s {{URL/scheme}}, then
+          return "`Does Not Match`" unless one of the following conditions is
+          met:
+         
+          1.  |expression|'s <a grammar>`scheme-part`</a> is an <a>ASCII
+              case-insensitive match</a> for "`http`" and |url|'s {{URL/scheme}}
+              is "`https`"
+              
+          2.  |expression|'s <a grammar>`scheme-part`</a> is an <a>ASCII
+              case-insensitive match</a> for "`ws`" and |url|'s {{URL/scheme}}
+              is "`wss`"
+
+      2.  If |expression| matches the <a grammar>`scheme-source`</a> grammar,
+          return "`Matches`".
 
-      2.  Return "`Does Not Match`".
+      Note: This logic effectively means that `script-src http:` is
+      equivalent to `script-src http: https:`, and
+      `script-src http://example.com/` is equivalent to `script-src
+      http://example.com https://example.com`. In short, we always allow a
+      secure upgrade from an explicitly insecure expression.
 
   3.  If |expression| matches the <a grammar>`host-source`</a> grammar:
   
       1.  If |url|'s {{URL/host}} is `null`, return "`Does Not Match`".
 
-      2.  If |expression| has a <a grammar>`scheme-part`</a> that is not an
-          <a>ASCII case-insensitive match</a> for |url|'s {{URL/scheme}}, return
-          "`Does Not Match`".
-
-      3.  If |expression| does not have a <a grammar>`scheme-part`</a>, then
+      2.  If |expression| does not have a <a grammar>`scheme-part`</a>, then
           return "`Does Not Match`" unless one of the following conditions is
           met:
 
-          1.  |origin|'s {{URL/scheme}} is an <a>ASCII case-insensitive
-              match</a> for "`HTTP`", and |url|'s {{URL/scheme}} is an <a>ASCII
-              case-insensitive match</a> for either "`HTTP`" or "`HTTPS`".
+          1.  |origin|'s {{URL/scheme}} is |url|'s {{URL/scheme}}
 
-          2.  |origin|'s {{URL/scheme}} is an <a>ASCII case-insensitive
-              match</a> for |url|'s {{URL/scheme}}.
+          2.  |origin|'s {{URL/scheme}} is "`http`", and |url|'s {{URL/scheme}}
+              one of "`https`", "`ws`", or "`wss`".
+
+          3.  |origin|'s {{URL/scheme}} is "`https`", and |url|'s {{URL/scheme}}
+              is "`wss`".
+
+          Note: As with <a grammar>`scheme-part`</a> above, we allow schemeless
+          <a grammar>`host-source`</a> expressions to be upgraded from insecure
+          schemes to secure schemes.
       
       4.  If the first character of |expression|'s <a grammar>`host-part`</a>
           is an U+002A ASTERISK character (`*`):
@@ -1858,7 +1877,24 @@ <h5 id="match-url-to-source-expression" algorithm>
       10. Return "`Matches`".
 
   4.  If |expression| is an <a>ASCII case-insensitive match</a> for "`'self'`",
-      and |origin| is the same as |url|'s {{URL/origin}}, return "`Matches`".
+      return "`Matches`" if one or more of the following conditions is met:
+
+      1.  |origin| is the same as |url|'s {{URL/origin}}
+
+      2.  |origin|'s {{URL/host}} is the same as |url|'s {{URL/host}},
+          |origin|'s {{URL/port}} and |url|'s {{URL/port} are either the same
+          or the <a>default ports</a> for their respective {{URL/scheme}}s, and
+          one or more of the following conditions is met:
+          
+          1.  |url|'s {{URL/scheme}} is "`https`" or "`wss`"
+          2.  |origin|'s {{URL/scheme}} is "`http`"
+
+      Note: Like the <a grammar>`scheme-part`</a> logic above, the "`'self'`"
+      matching algorithm allows upgrades to secure schemes when it is safe to do
+      so. We limit these upgrades to endpoints running on the default port for a
+      particular scheme or a port that matches the origin of the protected
+      resource, as this seems sufficient to deal with upgrades that can be
+      reasonably expected to succeed.
 
   5.  Return "`Does Not Match`".
 
