1

I have a FQDN in my CSP:

The source list for the Content Security Policy directive 'img-src' contains an invalid source: 'xxx.de.'. It will be ignored.

This is my csp:

default-src 'self'; script-src 'self' 'unsafe-inline' 
'unsafe-eval' www.xxx.de; style-src 'self' 'unsafe-inline'; 
font-src 'self' data:; img-src 'self' xxx.de.; frame-src 'self' 
www.youtube-nocookie.com xxx.de;

Why are domains having a dot at the end not allowed in CSP?

I need to link to this URL, and I need to have a CSP, this is my current CSP, the spec does not appear to allow me to describe the URL I have, how can I work around this?

Grim
  • 1,938
  • 10
  • 56
  • 123
  • 2
    "Why are domains having a dot at the end not allowed in CSP?" — What sort of answer are you looking for here? You're unlikely to get anything beyond "Because the spec says so" or guesses about what was going through the spec designers' heads. – Quentin Aug 29 '23 at 10:43
  • I was guessing what was going throu the spec designers' head. Yes. – Grim Aug 29 '23 at 15:49
  • Then, as pointed out, that's a matter of opinion and off-topic. – Quentin Aug 29 '23 at 15:50
  • I do not see how this is a matter of opinion. I mean it is a real-world-problem. It is a real-world error-message. – Grim Aug 29 '23 at 15:57
  • That it is an error message is a fact. That the spec doesn't allow a `.` there is a fact. That the spec saying that is the cause of the error message is a fact. Why the spec was written that way probably isn't recorded anywhere, questions asking why invite *speculation* about what the spec designers were thinking (i.e. are unlikely to be answered with facts), and isn't a problem of any kind. – Quentin Aug 29 '23 at 16:02
  • Well, its my problem. I can neither reference https://upload.wikimedia.org./wikipedia/commons/thumb/8/8a/2006-02-13_Drop_before_impact.jpg/396px-2006-02-13_Drop_before_impact.jpg in the img-src-attribute nor change the url nor remove the csp-directive. I can not display that image. Thats a concrete problem. – Grim Aug 29 '23 at 16:07
  • Knowing why the designers of the spec designed it that way won't help you solve that problem though. – Quentin Aug 29 '23 at 16:08
  • Just use https://upload.wikimedia.org/wikipedia/commons/thumb/8/8a/2006-02-13_Drop_before_impact.jpg/396px-2006-02-13_Drop_before_impact.jpg as the URL instead. – Quentin Aug 29 '23 at 16:08
  • I said "(...) nor change the url(...)". I think if the w3 resolve this mistake it will guide browser-developers (developers who develop browsers like mozilla, chrome, safari) to change the browser's csp validation. – Grim Aug 29 '23 at 16:09
  • Then you should look at removing the barrier preventing you from changing code on the website you control the CSP for. Odds are it'll be easier and faster than changing the spec and getting every browser to update to the new rules. – Quentin Aug 29 '23 at 16:11
  • I noticed that you might think the spec is wrong? I agree. Still a bad question? :P – Grim Aug 29 '23 at 16:13
  • "I noticed that you might think the spec is wrong?" — No. You noticed me noticing that the spec did not allow you to do what you want. – Quentin Aug 29 '23 at 16:13
  • What I did? I did not use the url having a dot at the end of the hostname, others did. – Grim Aug 29 '23 at 16:16
  • And yes. Still a bad question. See [the tour](https://stackoverflow.com/tour). Quote: *Focus on questions about an actual problem you have faced.*. Bad question: "Why is the spec like this?". Better question: "I need to link to *this URL*, and I need to have a CSP, this is my current CSP, the spec does not appear to allow me to describe the URL I have, how can I work around this?" – Quentin Aug 29 '23 at 16:16
  • The answer is clear: Because csp do not allow a dot at the end of the hostname. Question solved, problem remains unchanged. – Grim Aug 29 '23 at 16:17
  • For security reasons I need to keep that . at the end of the domain. – Grim Aug 29 '23 at 16:18

2 Answers2

2

Because the specs say so.

The host-source:

host-source = [ scheme-part "://" ] host-part [ ":" port-part ] [ path-part ]

requires a host-part:

host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char )

which has to end with a host-char:

host-char = ALPHA / DIGIT / "-"

… which cannot be a ..

The path-part:

path-part = path-absolute (but not including ";" or ",") ; path-absolute is defined in section 3.3 of RFC 3986.

is defined elsewhere:

path-absolute ; begins with "/" but not "//"

… which has to start with / so cannot consist entirely of ..

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • You explain that a dot is not allowed. But why is a dot not allowed? – Grim Aug 29 '23 at 13:28
  • 1
    @Grim — What I asked what sort of answer you were looking for and suggested a couple of possible answers, your response was "Do the specs say so?". They do. That is your answer. Speculation as to what the designers of the specification were thinking is a matter of opinion and off-topic here. – Quentin Aug 29 '23 at 13:43
  • Then this might be a mistake inside the spec. – Grim Aug 29 '23 at 15:27
  • See, `do the spec say so?` was more like a comment. The genuine question is `Why are domains having a dot at the end not allowed in CSP?` from the question. I know, many questions are answered in comments very well. Many bad questions are written in comments. My intention was to make the bounty on the question. After the bounty was set, I commented a question if the spec say so. Since I am not time traveling, and the bounty was set before the question in the comment the bounty is on the genuine question. – Grim Aug 29 '23 at 15:43
  • Anyway, I deleted my comment, sorry for that. It was obviously misleading. Was my mistake. – Grim Aug 29 '23 at 15:44
  • Then I repeat: What sort of answer are you looking for? I've suggested two possibilities. One is off topic. The other is this answer. Is there a third kind of answer you're looking for? – Quentin Aug 29 '23 at 15:49
  • Well there might be something like, "yes, its a specification mistake" or "find domains are bad practice said iab" or "browser is not allowed to look behind find domains for sandbox reasons" or "csp is dicouraging such domains" or "find domains are checked in cors only" or something else. Idk. – Grim Aug 29 '23 at 15:54
0

Here is my problem:

https://upload.wikimedia.org./wikipedia/commons/thumb/8/8a/2006-02-13_Drop_before_impact.jpg/396px-2006-02-13_Drop_before_impact.jpg 
                           ^^^

I can neither reference it in the img-src-attribute nor change the URL nor remove the csp-directive. I can not display that image.

You have a unique situation where the URL you need to allow through your CSP contains a trailing dot in the domain name, and CSP does not support such syntax.
Since you cannot change the URL or remove the CSP, you are essentially locked into a scenario where the standard tools at your disposal are not sufficient.

Given these constraints, one approach would be to create a server-side proxy that fetches the image from the FQDN with the trailing dot and then serves it under your own domain. Your server-side code could make an HTTP request to the original URL, fetch the image, and then serve it as a response to a request to a URL on your own domain.
That way, you can add your own domain to the img-src directive in your CSP, and you are in compliance with the CSP specifications.

For example, in a Python Flask app, a simple proxy endpoint might look like this:

import requests
from flask import Flask, Response, request

app = Flask(__name__)

@app.route('/proxy_image/<path:subpath>')
def proxy_image(subpath):
    base_url = "https://upload.wikimedia.org./wikipedia/commons/"
    target_url = f"{base_url}{subpath}"
    
    response = requests.get(target_url)
    
    if response.status_code == 200:
        return Response(response.content, content_type=response.headers['Content-Type'])
    else:
        return Response(f"Unable to fetch image. Status code: {response.status_code}", status=response.status_code)

if __name__ == '__main__':
    app.run()

Then you could update your CSP to allow images from your own domain:

img-src 'self' your-domain.com;

That will allow you to display the image without modifying the original URL or removing the CSP directive.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250