Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(41)

Issue 1641533006: CSP: Add an experimental 'unsafe-dynamic' source expression. (Closed)

Created:
4 years, 10 months ago by Mike West
Modified:
4 years, 10 months ago
CC:
blink-reviews, blink-reviews-dom_chromium.org, chromium-reviews, dglazkov+blink, eae+blinkwatch, mkwst+watchlist-csp_chromium.org, rwlbuis, sof
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

CSP: Add an experimental 'unsafe-dynamic' source expression. Developers at Google have raised concerns about deploying CSP for some products that use libraries which live on unsafe origins. One proposal that came up yesterday was the notion of dropping whitelists entirely, in favor of nonces which propagate down from a library to the scripts which that library loads. That is, something like `script-src 'nonce-abcd' 'unsafe-dynamic'` could allow `<script src=library nonce=abcd>` to load, and if it injects scripts via `appendElement`, we'd allow those to load. In the presence of nonces, this isn't actually an increase in risk, as those scripts can already read the nonce from the DOM and use it during injection (e.g. `document.querySelector('[nonce]').getAttribute('nonce')`), but this expression might allow folks to deploy CSP without convincing X libraries to roll new versions. It's a convenience, and one which might be worth running with. There's no spec for this feature yet; this patch lands a prototype behind the experimental flag in order to allow folks to play with it on real sites. If it turns out to be a good solution, I'll proposal it to public-webappsec@. Committed: https://crrev.com/c423cad0372f7772a1cb09596867a589f2840b4e Cr-Commit-Position: refs/heads/master@{#372317}

Patch Set 1 #

Patch Set 2 : Experiment. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+223 lines, -2 lines) Patch
A third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/loaded.js View 1 1 chunk +1 line, -0 lines 0 comments Download
A third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html View 1 1 chunk +158 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/dom/ScriptLoader.cpp View 2 chunks +6 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h View 2 chunks +2 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp View 2 chunks +10 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceList.h View 3 chunks +3 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp View 4 chunks +16 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp View 1 chunk +9 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp View 1 1 chunk +11 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/SourceListDirective.h View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp View 1 chunk +5 lines, -0 lines 0 comments Download

Messages

Total messages: 9 (4 generated)
Mike West
WDYT, Jochen? This isn't specced anywhere, and isn't proposed anywhere other than the meeting we ...
4 years, 10 months ago (2016-01-29 06:42:10 UTC) #3
jochen (gone - plz use gerrit)
lgtm
4 years, 10 months ago (2016-01-29 06:53:57 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1641533006/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1641533006/20001
4 years, 10 months ago (2016-01-29 09:34:57 UTC) #6
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 10 months ago (2016-01-29 09:41:41 UTC) #7
commit-bot: I haz the power
4 years, 10 months ago (2016-01-29 09:42:32 UTC) #9
Message was sent while issue was closed.
Patchset 2 (id:??) landed as
https://crrev.com/c423cad0372f7772a1cb09596867a589f2840b4e
Cr-Commit-Position: refs/heads/master@{#372317}

Powered by Google App Engine
This is Rietveld 408576698