CSP policy composition

Not reproducible Issue #7658886

Details

Author
Alvise R.
Created
May 23, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
25.10586
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

send two different Content-Security-Policy headers with different policies like:
Header 1: default-src *;
Header 2: default-src 'none’; img-src data:

The behavior defined in the CSP specification should be to enforce both policies (thus resulting in allowing the intersection of the allowed hosts set).
As of version 25.10586.0.0 / EdgeHTML 13.10586 Edge behavior is to parse both headers and enforce the first found directive of each type.
For the shown example the result would be a policy like:
default-src: *; img-src data:
that could lead to unexpected security issues including XSS attacks.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

    • Sorry for the delay in getting back to you on this item of feedback. Would you be able to provide us with a code sample to reproduce this with?

      This will ensure that we are testing the same code samples and lead to more accurate testing.

      All the best,
      The MS Edge Team

    • Microsoft Edge Team

      Changed Status to “Not reproducible”

    • As
      we have not received further information on how to repro this item of feedback

      • we will resolve it as not repro. Should you have the details needed in order
        for us to reproduce this problem in our test environments please feel free to
        reactivate this issue at your earliest convenience.

       

      All
      the best,

      The
      MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in