CSP implementation blocks explicit default port

Issue #10894548 • Assigned to Steven K.

Details

Author
Mathieu H.
Created
Feb 9, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
15.15025
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

Steps to reproduce:

  • Open a page containing the following CSP (either meta tag or HTTP Header): connect-src 'self' wss://*.example.com
  • Page attempts the following: new WebSocket('wss://service.example.com:443/websocket');

Result:
Error in the console:
Resource violated directive 'connect-src 'self'wss://*.example.com' in <meta http-equiv="Content-Security-Policy">: wss://service.example.com:443/websocket. Resource will be blocked.

Expected result:
Connection is allowed. 443 is the default port for the wss scheme so according to rule 4.9. of Section 4.2.2 “Matching Source Expressions” of the CSP2 Spec it shouldn’t be disallowed:

If the source expression does not contain a port-part and url-port is not the default port for url-scheme, then return does not match.

Attachments

0 attachments

    Comments and activity

    • Here is a fiddle for this: https://jsfiddle.net/9qzhx4pa/5/

    • Here is a slight update where you can better play with the CSP header content.

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To from “Brad E.” to “Steven K.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in