Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(309)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1455973003: CSP: Source expressions can no longer lock sites into insecurity. (Closed)

Created:
5 years, 1 month ago by Mike West
Modified:
5 years, 1 month ago
CC:
blink-reviews, chromium-reviews, mkwst+watchlist-csp_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

CSP: Source expressions can no longer lock sites into insecurity. CSP's matching algorithm has been updated to make clever folks like Yan slightly less able to gather data on user's behavior based on CSP reports[1]. This matches Firefox's existing behavior (they apparently changed this behavior a few months ago, via a happy accident[2]), and mitigates the CSP-variant of Sniffly[3]. On the dashboard at https://www.chromestatus.com/feature/6653486812889088. [1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7 BUG=544765, 558232 Committed: https://crrev.com/568075bbc5d16239a5cbdeb579a8768f9836f13e Cr-Commit-Position: refs/heads/master@{#360562}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+35 lines, -3 lines) Patch
M third_party/WebKit/Source/core/frame/csp/CSPSource.cpp View 1 chunk +4 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp View 2 chunks +7 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp View 1 chunk +24 lines, -1 line 0 comments Download

Messages

Total messages: 11 (5 generated)
Mike West
Hi Jochen, Philip! This is a fairly tiny change that brings our CSP implementation into ...
5 years, 1 month ago (2015-11-19 08:52:05 UTC) #3
jochen (gone - plz use gerrit)
lgtm
5 years, 1 month ago (2015-11-19 08:56:07 UTC) #4
philipj_slow
lgtm too Didn't know about Sniffly before, that was awesome! (in a bad way)
5 years, 1 month ago (2015-11-19 09:02:45 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1455973003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1455973003/1
5 years, 1 month ago (2015-11-19 10:14:35 UTC) #9
commit-bot: I haz the power
Committed patchset #1 (id:1)
5 years, 1 month ago (2015-11-19 11:54:34 UTC) #10
commit-bot: I haz the power
5 years, 1 month ago (2015-11-19 11:55:20 UTC) #11
Message was sent while issue was closed. 
Patchset 1 (id:??) landed as
https://crrev.com/568075bbc5d16239a5cbdeb579a8768f9836f13e
Cr-Commit-Position: refs/heads/master@{#360562}

Powered by Google App Engine
This is Rietveld 408576698