Disallow bare https: in CSP (ref #810, #325) (#925)

Author: mxsasha

Changelog.md

@@ -13,6 +13,8 @@
 - Fixed an [uncaught exception](https://github.com/internetstandards/Internet.nl/issues/494)
   in the security.txt text which could cause the entire test to fail for some HTTP responses.
 - Corrected handling of [bogus TLSA records](https://github.com/internetstandards/Internet.nl/issues/681).
+- A bare "https:" is [no longer allowed in Content-Security-Policy](https://github.com/internetstandards/Internet.nl/pull/925)
+  as it matches any HTTPS host.
 - [Loosened requirement for null MX](https://github.com/internetstandards/Internet.nl/issues/748)
   when a domain has no A or AAAA.
 - Fixed an issue where the

checks/tasks/http_headers.py

@@ -64,6 +64,7 @@ def __init__(self):
             self.has_unsafe_eval = False
             self.has_unsafe_hashes = False
             self.has_http = False
+            self.has_bare_https = False
             self.has_data = False
             self.has_base_uri = False
             self.has_form_action = False
@@ -78,6 +79,7 @@ def failures(self):
                 "has_unsafe_inline",
                 "has_unsafe_eval",
                 "has_http",
+                "has_bare_https",
                 "has_data",
                 "has_invalid_host",
                 "has_unsafe_hashes",
@@ -110,6 +112,7 @@ def __str__(self):
                 f"has_unsafe_eval: {self.has_unsafe_eval}\n"
                 f"has_unsafe_hashes: {self.has_unsafe_hashes}\n"
                 f"has_http: {self.has_http}\n"
+                f"has_bare_https: {self.has_bare_https}\n"
                 f"has_data: {self.has_data}\n"
                 f"has_base_uri: {self.has_base_uri}\n"
                 f"has_form_action: {self.has_form_action}\n"
@@ -125,7 +128,7 @@ def __str__(self):
     host_source_regex = re.compile(
         r"^(?:(?P<scheme>.+)://)?" r"(?P<host>[^:/']+|\[.+\])" r"(?::(?P<port>\d+|\*))?" r"(?P<path>\/.*)?$"
     )
-    scheme_source_regex = re.compile(r"^(?P<scheme>https?|data|mediastream|blob|filesystem):$")
+    scheme_source_regex = re.compile(r"^(?P<scheme_source>https?|data|mediastream|blob|filesystem):$")
     self_none_regex = re.compile(r"^(?:(?P<self>'self')|(?P<none>'none'))$")
     other_source_regex = re.compile(
         r"(?:"
@@ -356,8 +359,6 @@ def _check_none_self_similar(self, domain, directive: str):
                 found_self = True
             elif "report_sample" in match.groupdict() and match.group("report_sample"):
                 expected_sources += 1
-            elif "scheme" in match.groupdict() and match.group("scheme") and match.string == "https:":
-                expected_sources += 1
             elif "host" in match.groupdict() and match.group("host"):
                 expected_sources += 1
                 host = match.group("host").rstrip(".")
@@ -392,9 +393,10 @@ def _check_none_self_similar(self, domain, directive: str):
         return False
 
     def _verdict(self, domain):
-        self.result.has_http = self._check_matched_for_groups(dict(scheme=["http", "*"]))
+        self.result.has_http = self._check_matched_for_groups(dict(scheme=["http", "*"], scheme_source=["http", "*"]))
+        self.result.has_bare_https = self._check_matched_for_groups(dict(scheme_source=["https"]))
         self.result.has_data = self._check_matched_for_groups(
-            dict(scheme=["data", "*"]), directives=["object-src", "script-src"]
+            dict(scheme_source=["data", "*"]), directives=["object-src", "script-src"]
         )
         self.result.has_invalid_host = self._check_matched_for_groups(dict(host=["*", "127.0.0.1"]))
         self.result.has_unsafe_inline = self._check_matched_for_groups(dict(unsafe_inline=[]))

tests/unittests/test_tasks_http_headers.py

@@ -101,7 +101,7 @@ def test_default_src_1(self):
 
     def test_default_src_2(self):
         headers = "form-action 'none'; base-uri 'none'; default-src 'self' https:; frame-ancestors 'self'"
-        self._is_good(headers)
+        self._is_bad(headers)
 
     def test_default_src_3(self):
         headers = "form-action 'none'; base-uri 'none'; default-src 'self' 'report_sample'; frame-ancestors 'self'"
@@ -164,9 +164,13 @@ def test_http_2(self):
         headers = self.base_policy + "frame-ancestors 'self', style-src http:"
         self._is_bad(headers)
 
+    def test_http_3(self):
+        headers = self.base_policy + "frame-ancestors 'self', style-src http://*"
+        self._is_bad(headers)
+
     def test_https_1(self):
         headers = self.base_policy + "frame-ancestors 'self', style-src https:"
-        self._is_good(headers)
+        self._is_bad(headers)
 
     def test_https_2(self):
         headers = self.base_policy + "frame-ancestors 'self', style-src https://whatever.com:443/afsdf"
@@ -176,6 +180,10 @@ def test_https_3(self):
         headers = self.base_policy + "frame-ancestors 'self', style-src https://[ipv6:address]:443/afsdf"
         self._is_good(headers)
 
+    def test_https_4(self):
+        headers = "form-action 'none'; base-uri 'self' https:; default-src 'self'; frame-ancestors 'self'"
+        self._is_bad(headers)
+
     def test_star_for_port(self):
         headers = self.base_policy + "frame-ancestors 'self', style-src https://[ipv6:address]:*/afsdf"
         self._is_good(headers)
@@ -281,7 +289,7 @@ def test_frame_source_domain(self):
         self._is_good(headers)
 
     def test_two_headers(self):
-        headers = self.base_policy + "frame-ancestors https:, frame-ancestors 'none'"
+        headers = self.base_policy + "frame-ancestors 'self', frame-ancestors 'none'"
         self._is_good(headers)
 
     def test_syntax_trusted_types_1(self):
@@ -338,7 +346,7 @@ def test_host_source_3(self):
 
     def test_scheme_source_1(self):
         headers = self.base_policy + "frame-ancestors 'none', style-src https:"
-        self._is_good_and_parsed(headers, "style-src")
+        self._is_bad_and_parsed(headers, "style-src")
 
     def test_scheme_source_2(self):
         headers = self.base_policy + "frame-ancestors 'none', style-src http:"