fix(csp): flag scheme-only sources (https:, data:) as permissive in sensitive CSP directives#58
Open
dmchaledev wants to merge 1 commit into
Open
fix(csp): flag scheme-only sources (https:, data:) as permissive in sensitive CSP directives#58dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…sitive directives The CSP wildcard check only caught literal `*` but missed scheme-only sources like `https:` or `data:` in sensitive fetch directives. A policy such as `default-src https:` allows loading from any HTTPS host and is nearly as permissive as `*`, yet previously scored as safe. Reuse the existing `isPermissiveSource` helper (which already handles both `*` and scheme-only patterns) in the directive filter, and update the finding message to name both forms. Three new tests cover `https:` in default-src, `data:` in script-src, and the correct non-flagging of `https:` in the low-risk img-src. https://claude.ai/code/session_019zKAbhaab16mcuuP2McH2K
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
$(cat <<'EOF'
Problem
The CSP wildcard check only caught the literal
*token but silently passed scheme-only sources likehttps:ordata:in sensitive fetch directives.A policy such as:
allows loading scripts, stylesheets, workers, etc. from any HTTPS host — nearly as permissive as
default-src *— yet the tool previously awarded it full marks with no finding.Root Cause
rules.tsfiltered directives usingsources.includes('*'), missing any token matched by the existingisPermissiveSource()helper (bare*or any scheme-only source likehttps:/data:/blob:).Fix
Replace
sources.includes('*')withsources.some(isPermissiveSource)in the sensitive-directive filter. TheisPermissiveSourcehelper was already defined in the file for the frame-ancestors check — this change reuses it consistently.The finding message is updated to name both forms so users understand why their policy was flagged:
Tests
Three new test cases (85 total, all passing):
default-src https:script-src data:img-src https:Checklist
npm run typecheckpassesnpm testpasses (85/85)https://claude.ai/code/session_019zKAbhaab16mcuuP2McH2K
EOF
)
Generated by Claude Code