CSP: Require https: URL scheme

[baknu]

Currently we do not allow for the http: scheme. We do not require https: (so a non defined URL scheme is also allowed):
See:

Internet.nl/tests/unittests/test_tasks_http_headers.py

Lines 106 to 108 in 5181fd0

	def test_default_src_5(self):
	headers = "default-src 'self' internet.nl *.internet.nl; frame-ancestors 'self'"
	self._is_good(headers)

We might want to explicitly require the https: scheme.

See below mail discussion between SR, WK and BK (17 Oct 2022).

Hier wat achtergrond info over schemes (http:, https: of none):
https://csplite.com/csp87/#SOP
Daarin staat ook dat CSP2 en CSP3 net wat anders omgaan met "http:". Merk
trouwens op dat CSP3 formeel nog een Working Draft is (hoewel veel al in de
laatste versies van browsers lijkt te zijn geland) en CSP2 een Recommendation.

Zoals we vanochtend ook bespraken, lijkt het het meest verstandig om https:
voor iedere in CSP opgenomen URL te plaatsen. Ook omdat het niet zeker is dat
een http-->https redirect voor het (hele) websitedomein incl. directories wordt
gebruikt.

Zie ook nog wat relevante comments in een eerdere discussie over de
implementatie van de CSP-test:
#325 (comment)

Laten we nagaan wat de Internet.nl-code nu doet (alleen "http:" afkeuren? of
ook "none" afkeuren en dus alleen "https:" toestaan?), en dan bepalen of we dit
willen aanpassen.

[baknu]

Note that Internet.nl currently does not use https on conn.internet.nl: #324

[baknu]

We explicitly now allow for https: in default-src. See the current test explanation.

This seems to be a mistake, because this way the scheme is forced but also any host is allowed. For background on this choice see @gthess's comment on #325 (comment)

It seems https: is equivalent to https:\\*.
See:

• https://www.w3.org/TR/CSP3/#framework-directive-source-list
• https://csplite.com/csp116/

Have adjusted the content. However this still needs to be fixed in the code.

[baknu]

Note that https:// may also be used in combination with wildcards: https://*.example.nl
See:

• https://www.w3.org/TR/CSP3/#framework-directive-source-list
• https://csplite.com/csp79/

This also means that we should not allow for http://*. Not sure if we do.

[mxsasha]

May be specific to combining https: with another value.

It's curious, this is not an implementation bug, this is an intentional tested feature:
https://github.com/internetstandards/Internet.nl/blob/main/tests/unittests/test_tasks_http_headers.py#L167C14-L169
and
https://github.com/internetstandards/Internet.nl/blob/main/tests/unittests/test_tasks_http_headers.py#L102-L104

Valid in current main branch:

• form-action 'self'; base-uri 'none'; default-src 'self'; frame-ancestors 'self'
• form-action 'self' https:; base-uri 'none' https:; default-src 'self' https:; frame-ancestors 'self' https:

Invalid:

• form-action https:; base-uri 'none'; default-src 'self'; frame-ancestors 'self'
• form-action 'self'; base-uri 'none'; default-src https:; frame-ancestors 'self'

[mxsasha]

Decision: we should reject a policy with a bare https: in any directives (and also need to cover https://*).
Also check that http://* is rejected.

[baknu]

This is now partly fixed. What is left is that we still need to test if https:// is explicitly used (and thus not allow *.example.nl and www.example.nl without the https;// scheme).