Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(208)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1872563004: Match `path-part` with `url` case-sensitively (Closed)

Created:
4 years, 8 months ago by Sergey Shekyan
Modified:
4 years, 8 months ago
Reviewers:
Mike West
CC:
blink-reviews, chromium-reviews, mkwst+watchlist-csp_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Match `path-part` with `url` case-sensitively This fixes a bug where if final character of `path-part` in `source-expression` is the U+002F SOLIDUS character (/), matching with path of the `url` was performed case-insensitively. Less strict matching can lead to CSP bypass in certain circumstances or, at least, user confusion. This fixes the bug by ensuring that `path-part` matching is performed case-sensitively, per https://w3c.github.io/webappsec-csp/#match-url-to-source-expression BUG=590505 R=mkwst@chromium.org Committed: https://crrev.com/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb Cr-Commit-Position: refs/heads/master@{#386032}

Patch Set 1 #

Patch Set 2 : Update AUTHORS #

Unified diffs Side-by-side diffs Delta from patch set Stats (+5 lines, -1 line) Patch
M AUTHORS View 1 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSource.cpp View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp View 1 chunk +2 lines, -0 lines 0 comments Download

Messages

Total messages: 17 (7 generated)
Sergey Shekyan
4 years, 8 months ago (2016-04-08 07:36:18 UTC) #1
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1872563004/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1872563004/1
4 years, 8 months ago (2016-04-08 07:36:30 UTC) #3
commit-bot: I haz the power
No L-G-T-M from a valid reviewer yet. CQ run can only be started by full ...
4 years, 8 months ago (2016-04-08 07:36:31 UTC) #5
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1872563004/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1872563004/1
4 years, 8 months ago (2016-04-08 08:07:51 UTC) #7
Mike West
LGTM. Thanks for the patch! If the bots are happy, go ahead and land it.
4 years, 8 months ago (2016-04-08 08:09:15 UTC) #8
Mike West
On 2016/04/08 at 08:09:15, Mike West wrote: > LGTM. Thanks for the patch! If the ...
4 years, 8 months ago (2016-04-08 08:10:25 UTC) #9
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: chromium_presubmit on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/166266)
4 years, 8 months ago (2016-04-08 08:19:48 UTC) #11
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1872563004/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1872563004/20001
4 years, 8 months ago (2016-04-08 08:33:12 UTC) #14
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 8 months ago (2016-04-08 10:02:20 UTC) #15
commit-bot: I haz the power
4 years, 8 months ago (2016-04-08 10:03:57 UTC) #17
Message was sent while issue was closed. 
Patchset 2 (id:??) landed as
https://crrev.com/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb
Cr-Commit-Position: refs/heads/master@{#386032}

Powered by Google App Engine
This is Rietveld 408576698