Skip to content

Fetch rewrites ws/wss URLs, but browsers still report them in CSP #532

New issue
New issue
Open
Open
Fetch rewrites ws/wss URLs, but browsers still report them in CSP#532
Labels
addition/proposalNew features or enhancementsneeds concrete proposalMoving the issue forward requires someone to figure out a detailed plan
@annevk

Description

@annevk
annevk
opened on Nov 22, 2021

At least in theory ws/wss cannot show up in CSP (they get mapped to http/https before CSP is involved). If they do show up there's a problem of sorts with Fetch integration. (Probably best discussed in a separate issue.)

I just validated this assumption (before removal in https://bugzilla.mozilla.org/show_bug.cgi?id=1742366). It turns out to not be unconditionally true.

data:text/html,<meta http-equiv="content-security-policy" content="connect-src;">
<script>
document.onsecuritypolicyviolation=e=>alert(e.blockedURI);
new WebSocket("ws://httpbingo.org/redirect-to?url=https://example.com")</script>

in Firefox 96.0a1, the result is ws://httpbingo.org/redirect-to?url=https://example.com

In Chromium 95, the result is ws://httpbingo.org

We should therefore also accept ws(s) and not trim it to the scheme. And have a WPT for it.

Originally posted by @Rob--W in #527 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    addition/proposalNew features or enhancementsneeds concrete proposalMoving the issue forward requires someone to figure out a detailed plan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions