search

mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.84k stars 168 forks source link

Allow multiple headers when parsing CSP #466

Open april opened 2 years ago

april commented 2 years ago

The current code only allows a singular CSP policy, which is technically not correct according to CSP3.

Update the code so that it can handle multiple CSP policies, by combining them together.

LootAcademy commented 2 years ago

Hey! I desperately need your help addressing a findec issue on the 168 string. It seems like the code has exposed the codecKext to the security issues that Tim B. warned about. Trying to get aligned with the CSP3 pol requirements with the M! silicon. What kinds of solutions are you familiar with?

LootAcademy commented 2 years ago

The current code only allows a singular CSP policy, which is technically not correct according to CSP3.

Update the code so that it can handle multiple CSP policies, by combining them together.

I desperately need your help addressing a findec issue on the 168 string. It seems like the code has exposed the codecKext to the security issues that Tim B. warned about. Trying to get aligned with the CSP3 pol requirements with the M! silicon. What kinds of solutions are you familiar with?

LootAcademy commented 2 years ago

MDN2

rw-AntoniRoszak commented 1 year ago

Hello,

I see that after commit a422b3aee91f34535990ffa7ba3aa5256dfb83da scanner stopped analyzing the CSP in . Now I get only "none" in all CSPs and page score is incorrect (too high). Previously, was also analyzed (and this is what a browser does). I think it may be related to the fact that all entries from get "keep" == False so they are removed by line: csp[directive] = [source for source in combined_sources if source['keep'] is True]

april commented 1 year ago

For which website? I just tested a few with different CSP configs and they produced the correct result.

rw-AntoniRoszak commented 1 year ago

https://shop.rockwool.com

april commented 1 year ago

Looks like this has been a bug for many years, based on the scan history.

If you want to open up a new issue, with the contents of the CSP header and mention me in it, I’ll be happy to take a look.

Thanks! On Nov 14, 2022 at 7:11 AM -0600, Antoni Roszak @.***>, wrote:

https://shop.rockwool.com — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were assigned.Message ID: @.***>