Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(1)

Issue 1455973003: CSP: Source expressions can no longer lock sites into insecurity. (Closed)

Created:
3 years, 5 months ago by Mike West
Modified:
3 years, 5 months ago
CC:
blink-reviews, chromium-reviews, mkwst+watchlist-csp_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

CSP: Source expressions can no longer lock sites into insecurity. CSP's matching algorithm has been updated to make clever folks like Yan slightly less able to gather data on user's behavior based on CSP reports[1]. This matches Firefox's existing behavior (they apparently changed this behavior a few months ago, via a happy accident[2]), and mitigates the CSP-variant of Sniffly[3]. On the dashboard at https://www.chromestatus.com/feature/6653486812889088. [1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7 BUG=544765, 558232 Committed: https://crrev.com/568075bbc5d16239a5cbdeb579a8768f9836f13e Cr-Commit-Position: refs/heads/master@{#360562}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+35 lines, -3 lines) Patch
M third_party/WebKit/Source/core/frame/csp/CSPSource.cpp View 1 chunk +4 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp View 2 chunks +7 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp View 1 chunk +24 lines, -1 line 0 comments Download

Messages

Total messages: 11 (5 generated)
Mike West
Hi Jochen, Philip! This is a fairly tiny change that brings our CSP implementation into ...
3 years, 5 months ago (2015-11-19 08:52:05 UTC) #3
jochen (gone - plz use gerrit)
lgtm
3 years, 5 months ago (2015-11-19 08:56:07 UTC) #4
philipj_slow
lgtm too Didn't know about Sniffly before, that was awesome! (in a bad way)
3 years, 5 months ago (2015-11-19 09:02:45 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1455973003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1455973003/1
3 years, 5 months ago (2015-11-19 10:14:35 UTC) #9
commit-bot: I haz the power
Committed patchset #1 (id:1)
3 years, 5 months ago (2015-11-19 11:54:34 UTC) #10
commit-bot: I haz the power
3 years, 5 months ago (2015-11-19 11:55:20 UTC) #11
Message was sent while issue was closed.
Patchset 1 (id:??) landed as
https://crrev.com/568075bbc5d16239a5cbdeb579a8768f9836f13e
Cr-Commit-Position: refs/heads/master@{#360562}

Powered by Google App Engine
This is Rietveld 408576698