Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

normalize domains with trailing slashes #477

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

normalize domains with trailing slashes #477

wants to merge 3 commits into from
+31 −1

Conversation

keithamus
Copy link
Member

All PRs:

  • Has tests
  • Documentation updated - N/A

Adding a new header

Generally, adding a new header is always OK.

  • Is the header supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the header?
  • Where does the specification live?

Adding a new CSP directive

  • Is the directive supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the directive?

This PR normalises CSP source expressions to exclude trailing slashes from the Domain if there is no other information in the path.

CSP3 more explicitly calls this out in the path match algorithm:

If path A consists of one character that is equal to the U+002F
SOLIDUS character (/) and path B is empty, return "Matches".

Also a URL like example.com/foo will match a source expression of example.com, as well as example.com/, so having two source expressions listed like this is redundant.

@keithamus
normalize domains with trailing slashes
0d44152 
CSP3 more explicitly calls this out:

> If path A consists of one character that is equal to the U+002F
> SOLIDUS character (/) and path B is empty, return "Matches".

A URL like `example.com/foo` will match a connect-src of `example.com`,
as well as `example.com/`, so having two connect-srcs listed like this
is redundant.
vcsjones
vcsjones requested changes Apr 1, 2022
View reviewed changes
lib/secure_headers/headers/content_security_policy.rb Outdated Show resolved Hide resolved
lib/secure_headers/headers/content_security_policy.rb
source_list.map do |source|
# Normalize domains ending in a single / as without omitting the slash accomplisheg the same.
# https://www.w3.org/TR/CSP3/#match-paths § 6.6.2.10 Step 2
if source.chomp("/").include?("/")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing this might not be normalizing is a CSP directive like https://www.example.com/ since the protocol includes /.

The quoted spec is about matching on the path-part, not the entire URL that is in the directive.

It would be good to address this, with unit tests as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a test and some code to fix this. The code doesn't feel great, I'd welcome more elegant solutions here!

keithamus and others added 2 commits April 4, 2022 16:29
@keithamus @dgreif
fix: allow URIs with schema to have trailing slashes normalised
6ffcee7 
Co-authored-by: Dusty Greif <dgreif@users.noreply.github.com>
@keithamus @dgreif
fix typo
67ca492 
Co-authored-by: Dusty Greif <dgreif@users.noreply.github.com>
@srt32
Copy link
Member

srt32 commented Jul 18, 2022

@keithamus @vcsjones anything I can do to help get this PR ready to ship?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcsjones vcsjones vcsjones requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@keithamus @srt32 @vcsjones