Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(301)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1361763005: Disallow CSP source * matching of data:, blob:, and filesystem: URLs (Closed)

Created:
5 years, 2 months ago by jww
Modified:
5 years, 2 months ago
CC:
blink-reviews
Base URL:
https://chromium.googlesource.com/chromium/src@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Disallow CSP source * matching of data:, blob:, and filesystem: URLs The CSP spec specifically excludes matching of data:, blob:, and filesystem: URLs with the source '*' wildcard. This adds checks to make sure that doesn't happen, along with tests. BUG=534570 R=mkwst@chromium.org Committed: https://crrev.com/5d0e9f824e05523e03dabc0e341b9f8f17a72bb0 Cr-Commit-Position: refs/heads/master@{#350950}

Patch Set 1 #

Total comments: 4

Patch Set 2 : Nits #

Patch Set 3 : Extensions fix #

Patch Set 4 : Better extensions fix #

Unified diffs Side-by-side diffs Delta from patch set Stats (+106 lines, -13 lines) Patch
M chrome/common/extensions/docs/templates/articles/app_csp.html View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M chrome/common/extensions/docs/templates/articles/offline_apps.html View 1 2 1 chunk +2 lines, -2 lines 0 comments Download
M extensions/common/manifest_handlers/csp_info.cc View 1 2 2 chunks +2 lines, -2 lines 0 comments Download
A third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html View 1 1 chunk +61 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceList.h View 1 2 3 1 chunk +2 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp View 1 2 3 2 chunks +19 lines, -7 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp View 1 chunk +18 lines, -0 lines 0 comments Download

Messages

Total messages: 22 (8 generated)
jww
Mike, please take a look.
5 years, 2 months ago (2015-09-24 19:33:48 UTC) #1
Mike West
On 2015/09/24 at 19:33:48, jww wrote: > Mike, please take a look. LGTM % nits.
5 years, 2 months ago (2015-09-25 08:20:54 UTC) #2
jww
On 2015/09/25 08:20:54, Mike West (slow) wrote: > On 2015/09/24 at 19:33:48, jww wrote: > ...
5 years, 2 months ago (2015-09-25 13:50:36 UTC) #3
Mike West
https://codereview.chromium.org/1361763005/diff/1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html File third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html (right): https://codereview.chromium.org/1361763005/diff/1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html#newcode40 third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html:40: window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { Nit: Wrap this in ...
5 years, 2 months ago (2015-09-25 13:53:41 UTC) #4
jww
https://codereview.chromium.org/1361763005/diff/1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html File third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html (right): https://codereview.chromium.org/1361763005/diff/1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html#newcode40 third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-wildcards-disallowed.html:40: window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { On 2015/09/25 13:53:41, Mike ...
5 years, 2 months ago (2015-09-25 15:32:15 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1361763005/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1361763005/20001
5 years, 2 months ago (2015-09-25 15:32:50 UTC) #8
commit-bot: I haz the power
Try jobs failed on following builders: win_chromium_x64_rel_ng on tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_rel_ng/builds/108946)
5 years, 2 months ago (2015-09-25 16:16:02 UTC) #10
jww
kalman@chromium.org: Please review changes in extensions/common/manifest_handlers/csp_info.cc
5 years, 2 months ago (2015-09-25 21:19:01 UTC) #12
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1361763005/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1361763005/60001
5 years, 2 months ago (2015-09-25 21:20:09 UTC) #14
not at google - send to devlin
extensions lgtm
5 years, 2 months ago (2015-09-25 21:29:29 UTC) #15
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_rel_ng/builds/108228)
5 years, 2 months ago (2015-09-25 22:33:48 UTC) #17
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1361763005/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1361763005/60001
5 years, 2 months ago (2015-09-25 22:58:26 UTC) #20
commit-bot: I haz the power
Committed patchset #4 (id:60001)
5 years, 2 months ago (2015-09-25 23:45:44 UTC) #21
commit-bot: I haz the power
5 years, 2 months ago (2015-09-25 23:47:16 UTC) #22
Message was sent while issue was closed. 
Patchset 4 (id:??) landed as
https://crrev.com/5d0e9f824e05523e03dabc0e341b9f8f17a72bb0
Cr-Commit-Position: refs/heads/master@{#350950}

Powered by Google App Engine
This is Rietveld 408576698