Issue 1923273002: CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes'

Issue 1923273002: CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' (Closed)

Created:
4 years, 7 months ago by Mike West

Modified:
4 years, 7 months ago

Reviewers:
jochen (gone - plz use gerrit)

CC:
blink-reviews, blink-reviews-bindings_chromium.org, blink-reviews-dom_chromium.org, blink-reviews-style_chromium.org, chromium-reviews, dglazkov+blink, eae+blinkwatch, mkwst+watchlist-csp_chromium.org, rwlbuis, sof

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' The original implementation didn't gate this on any particular signal in the policy. Based on the discussion at https://github.com/w3c/webappsec-csp/issues/13, we should be a bit more cautious. So, 'unsafe-hashed-attributes' it is. BUG=546106 Committed: https://crrev.com/fb02ae61a30adf416bdb3f8fabcf1581bcf0b12f Cr-Commit-Position: refs/heads/master@{#390418}

Patch Set 1 #

Created: 4 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+87 lines, -39 lines)			Patch
M	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-handler-allowed.html	View	1 chunk	+1 line, -1 line	0 comments	Download
A +	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-handler-blocked.html	View	1 chunk	+3 lines, -12 lines	0 comments	Download
M	third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp	View	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/core/dom/Document.h	View	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/core/dom/Document.cpp	View	2 chunks	+3 lines, -4 lines	0 comments	Download
M	third_party/WebKit/Source/core/dom/ScriptLoader.cpp	View	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/core/dom/StyleElement.cpp	View	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h	View	2 chunks	+3 lines, -2 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp	View	2 chunks	+15 lines, -2 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/CSPSourceList.h	View	3 chunks	+3 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp	View	4 chunks	+16 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp	View	1 chunk	+10 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h	View	3 chunks	+8 lines, -3 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp	View	5 chunks	+15 lines, -11 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/SourceListDirective.h	View	1 chunk	+1 line, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp	View	1 chunk	+5 lines, -0 lines	0 comments	Download

Messages

Total messages: 8 (3 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1923273002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1923273002/1

4 years, 7 months ago (2016-04-28 16:31:06 UTC) #5

commit-bot: I haz the power

4 years, 7 months ago (2016-04-30 17:19:30 UTC) #7

Message was sent while issue was closed.

Patchset 1 (id:??) landed as
https://crrev.com/fb02ae61a30adf416bdb3f8fabcf1581bcf0b12f
Cr-Commit-Position: refs/heads/master@{#390418}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages