CSP: Source expressions can no longer lock sites into insecurity.

CSP: Source expressions can no longer lock sites into insecurity.

CSP's matching algorithm has been updated to make clever folks like Yan
slightly less able to gather data on user's behavior based on CSP
reports[1]. This matches Firefox's existing behavior (they apparently
changed this behavior a few months ago, via a happy accident[2]), and
mitigates the CSP-variant of Sniffly[3].

On the dashboard at https://www.chromestatus.com/feature/6653486812889088.

[1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7

BUG=544765, 558232
Review URL: https://codereview.chromium.org/1455973003

Cr-Commit-Position: refs/heads/master@{#360562}
(cherry picked from commit 568075bbc5d16239a5cbdeb579a8768f9836f13e)

Committed: https://chromium.googlesource.com/chromium/src/+/ab830edb26a1f56f660b06459d70e1d48a707975

[Mike West, 2016-01-12 08:59:33]

Description was changed from

==========
CSP: Source expressions can no longer lock sites into insecurity.

CSP's matching algorithm has been updated to make clever folks like Yan
slightly less able to gather data on user's behavior based on CSP
reports[1]. This matches Firefox's existing behavior (they apparently
changed this behavior a few months ago, via a happy accident[2]), and
mitigates the CSP-variant of Sniffly[3].

On the dashboard at https://www.chromestatus.com/feature/6653486812889088.

[1]:
https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b969...
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7

BUG=544765,558232

Review URL: https://codereview.chromium.org/1455973003

Cr-Commit-Position: refs/heads/master@{#360562}
(cherry picked from commit 568075bbc5d16239a5cbdeb579a8768f9836f13e)
==========

to

==========
CSP: Source expressions can no longer lock sites into insecurity.

CSP's matching algorithm has been updated to make clever folks like Yan
slightly less able to gather data on user's behavior based on CSP
reports[1]. This matches Firefox's existing behavior (they apparently
changed this behavior a few months ago, via a happy accident[2]), and
mitigates the CSP-variant of Sniffly[3].

On the dashboard at https://www.chromestatus.com/feature/6653486812889088.

[1]:
https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b969...
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7

BUG=544765,558232

Review URL: https://codereview.chromium.org/1455973003

Cr-Commit-Position: refs/heads/master@{#360562}
(cherry picked from commit 568075bbc5d16239a5cbdeb579a8768f9836f13e)

Committed:
https://chromium.googlesource.com/chromium/src/+/ab830edb26a1f56f660b06459d70...
==========

[Mike West, 2016-01-12 08:59:35]

Committed patchset #1 (id:1) manually as
ab830edb26a1f56f660b06459d70e1d48a707975.