Skip to content

Split CSP policy lists on a bare comma, not just ", "#383

Open
durvesh1992 wants to merge 1 commit into
facebookincubator:mainfrom
durvesh1992:fix/csp-policy-list-comma-split
Open

Split CSP policy lists on a bare comma, not just ", "#383
durvesh1992 wants to merge 1 commit into
facebookincubator:mainfrom
durvesh1992:fix/csp-policy-list-comma-split

Conversation

@durvesh1992

Copy link
Copy Markdown

Summary

getCSPHeadersFromWebRequestResponse splits a combined CSP header into individual policies only when the value contains ', ' (comma + space):

if (header.value?.includes(', ')) {
  header.value.split(', ').forEach(/* ... */);
} else {
  individualHeaders.push(header);
}

Per CSP3 §parse a serialized CSP list the separator is a bare U+002C COMMA; the surrounding whitespace is optional. So a server sending

Content-Security-Policy: default-src 'self';,script-src 'self';

is left as a single combined string. parseCSPString then splits it on ;, yielding a ,script-src directive token with a stray leading comma that never matches script-src. The script-src policy is silently dropped, which weakens the eval/worker CSP checks that depend on detecting it — a correctness gap in a security extension.

Fix

Split on , and trim() each policy (dropping empty entries). Inputs using the conventional ', ' separator produce identical output, so this is backwards compatible.

Test plan

Added a regression test for a policy list separated by a comma with no space. Verified it fails before the change and passes after.

  • Full suite: 11 passed, 98 tests passed (was 97), no regressions.
  • Prettier clean.

getCSPHeadersFromWebRequestResponse only split a combined CSP header into
individual policies when the value contained ', ' (comma + space). The
serialized policy list separator is a bare U+002C COMMA and the
surrounding whitespace is optional, so a header like
  default-src 'self';,script-src 'self';
was left as a single string. parseCSPString then splits it on ';',
producing a ',script-src' directive token with a stray leading comma that
never matches 'script-src' — silently dropping a policy that downstream
eval/worker CSP checks rely on.

Split on ',' and trim each policy (dropping empties). Existing ', '
inputs are unaffected. Adds a regression test for the no-space case.

https://www.w3.org/TR/CSP3/#parse-serialized-policy-list
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant