Split CSP policy lists on a bare comma, not just ", "#383
Open
durvesh1992 wants to merge 1 commit into
Open
Conversation
getCSPHeadersFromWebRequestResponse only split a combined CSP header into individual policies when the value contained ', ' (comma + space). The serialized policy list separator is a bare U+002C COMMA and the surrounding whitespace is optional, so a header like default-src 'self';,script-src 'self'; was left as a single string. parseCSPString then splits it on ';', producing a ',script-src' directive token with a stray leading comma that never matches 'script-src' — silently dropping a policy that downstream eval/worker CSP checks rely on. Split on ',' and trim each policy (dropping empties). Existing ', ' inputs are unaffected. Adds a regression test for the no-space case. https://www.w3.org/TR/CSP3/#parse-serialized-policy-list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
getCSPHeadersFromWebRequestResponsesplits a combined CSP header into individual policies only when the value contains', '(comma + space):Per CSP3 §parse a serialized CSP list the separator is a bare
U+002C COMMA; the surrounding whitespace is optional. So a server sendingis left as a single combined string.
parseCSPStringthen splits it on;, yielding a,script-srcdirective token with a stray leading comma that never matchesscript-src. Thescript-srcpolicy is silently dropped, which weakens the eval/worker CSP checks that depend on detecting it — a correctness gap in a security extension.Fix
Split on
,andtrim()each policy (dropping empty entries). Inputs using the conventional', 'separator produce identical output, so this is backwards compatible.Test plan
Added a regression test for a policy list separated by a comma with no space. Verified it fails before the change and passes after.
11 passed, 98 tests passed(was 97), no regressions.