Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(34)

Issue 150893004: CSP: 'self' should be handled correctly in sandboxes. (Closed)

Created:
6 years, 10 months ago by Mike West
Modified:
3 years, 5 months ago
Reviewers:
abarth-chromium
CC:
blink-reviews, mkwst+watchlist_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

CSP: 'self' should be handled correctly in sandboxes. Currently, we're checking against the SecurityOrigin rather than the document's URL. Normally this is perfectly fine, but if the document is sandboxed, then the null security origin breaks the behavior of 'self' in source expression lists. This patch changes 'self' to refer to the URL of the protected resource, and in the special case of srcdoc documents, to the URL of the protected resource's parent browsing context's URL. BUG=326806

Patch Set 1 #

Patch Set 2 : Rebase #

Messages

Total messages: 4 (0 generated)
Mike West
Adam, WDYT about this change? It aligns us with the spec (step 5.1 of section ...
6 years, 10 months ago (2014-02-07 09:59:09 UTC) #1
Mike West
On 2014/02/07 09:59:09, Mike West wrote: > Adam, WDYT about this change? It aligns us ...
6 years, 10 months ago (2014-02-07 09:59:55 UTC) #2
abarth-chromium
Breaks the behavior in what sense? What should 'self' resolve to in sandboxed documents? I ...
6 years, 10 months ago (2014-02-07 18:42:32 UTC) #3
abarth-chromium
6 years, 10 months ago (2014-02-07 18:44:18 UTC) #4
It's not clear to me whether we should change the implementation or the spec. 
The spec text doesn't make much sense for about:blank or about:srcdoc documents.
 IMHO, we should probably change the spec.  Folks can still whitelist resources
by being explicit about what URLs a sandboxed iframe can load.  It seems better
to be explicit about that sort of thing.

Powered by Google App Engine
This is Rietveld 408576698