Issue 1178373004: 'blob:' URLs should not match 'self' in CSP source expression lists.

Issue 1178373004: 'blob:' URLs should not match 'self' in CSP source expression lists. (Closed)

Created:
5 years, 6 months ago by Mike West

Modified:
5 years, 6 months ago

Reviewers:
jochen (gone - plz use gerrit)

CC:
blink-reviews, mkwst+watchlist-csp_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/blink.git@master

Target Ref:
refs/heads/master

Project:
blink

Visibility:
Public.

'blob:' URLs should not match 'self' in CSP source expression lists. Chrome is currently treating `'self'` as including `blob:` URLs. That's against the spec (and Firefox), which requires whitelisting `blob:` explicitly: https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-guid-matching. This patch fixes our implementation. Mozilla discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=1150957 BUG=473904 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=197354

Created: 5 years, 6 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+80 lines, -45 lines)			Patch
M	LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html	View		1 chunk	+20 lines, -20 lines	0 comments	Download
D	LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt	View		1 chunk	+0 lines, -2 lines	0 comments	Download
M	LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html	View		1 chunk	+17 lines, -20 lines	0 comments	Download
D	LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt	View		1 chunk	+0 lines, -2 lines	0 comments	Download
M	Source/core/frame/csp/CSPSourceList.cpp	View	1	1 chunk	+1 line, -1 line	0 comments	Download
M	Source/core/frame/csp/CSPSourceListTest.cpp	View	1	2 chunks	+32 lines, -0 lines	0 comments	Download
M	Source/core/frame/csp/ContentSecurityPolicy.h	View	1	1 chunk	+1 line, -0 lines	0 comments	Download
M	Source/core/frame/csp/ContentSecurityPolicy.cpp	View	1	1 chunk	+9 lines, -0 lines	0 comments	Download

Total messages: 8 (2 generated)

Mike West

Jochen, WDYT? This is probably going to break things in Chromium until https://codereview.chromium.org/1184353002 lands. Might ...

5 years, 6 months ago (2015-06-16 13:05:58 UTC) #2

Mike West

On 2015/06/16 at 13:21:47, jochen wrote: > lgtm After the research I noted in https://codereview.chromium.org/1176203008#msg4, ...

5 years, 6 months ago (2015-06-18 12:32:12 UTC) #4

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1178373004/20001

5 years, 6 months ago (2015-06-18 13:26:40 UTC) #7

commit-bot: I haz the power

5 years, 6 months ago (2015-06-18 13:50:18 UTC) #8

Message was sent while issue was closed.

Committed patchset #2 (id:20001) as
https://src.chromium.org/viewvc/blink?view=rev&revision=197354