CSP: Strip reported URLs for 'frame-src' and 'object-src'.
The relaxation that landed in https://codereview.chromium.org/2002943002
was a bit too relaxed, and leaks navigation targets cross-origin for
'frame-src' and 'object-src' violations.
This patch reverts to the old behavior for those two directives.
BUG=633306
Committed: https://crrev.com/94a6ff53682eac87184c1682b63faf6110325174
Cr-Commit-Position: refs/heads/master@{#412809}
Hey Emily! You reviewed the initial patch, and you're in a reasonable time zone this ...
4 years, 4 months ago
(2016-08-18 08:27:20 UTC)
#4
Hey Emily! You reviewed the initial patch, and you're in a reasonable time zone
this week! Would you like to review this patch as well? :)
estark
lgtm https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp (right): https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp#newcode803 third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp:803: return SecurityOrigin::create(url)->toString(); Technically I think the old behavior ...
4 years, 4 months ago
(2016-08-18 09:32:27 UTC)
#5
lgtm
https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/c...
File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp (right):
https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp:803: return
SecurityOrigin::create(url)->toString();
Technically I think the old behavior was the full URL if it was same-origin, and
just the origin if it was cross-origin, wasn't it? So you could change this to
return document->getSecurityOrigin()->canRequest(url) ?
url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString()
but I don't think it matters too much either way.
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
4 years, 4 months ago
(2016-08-18 09:43:17 UTC)
#6
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/282196)
4 years, 4 months ago
(2016-08-18 09:43:18 UTC)
#7
On 2016/08/18 at 09:32:27, estark wrote: > lgtm > > https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp > File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp (right): ...
4 years, 4 months ago
(2016-08-18 09:56:18 UTC)
#9
On 2016/08/18 at 09:32:27, estark wrote:
> lgtm
>
>
https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/c...
> File third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
(right):
>
>
https://codereview.chromium.org/2255103002/diff/1/third_party/WebKit/Source/c...
> third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp:803: return
SecurityOrigin::create(url)->toString();
> Technically I think the old behavior was the full URL if it was same-origin,
and just the origin if it was cross-origin, wasn't it? So you could change this
to
>
> return document->getSecurityOrigin()->canRequest(url) ?
url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString()
>
> but I don't think it matters too much either way.
You're right, fixed!
Thanks!
Mike West
The CQ bit was checked by mkwst@chromium.org
4 years, 4 months ago
(2016-08-18 09:56:22 UTC)
#10
4 years, 4 months ago
(2016-08-18 13:18:31 UTC)
#13
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
commit-bot: I haz the power
Description was changed from ========== CSP: Strip reported URLs for 'frame-src' and 'object-src'. The relaxation ...
4 years, 4 months ago
(2016-08-18 13:20:35 UTC)
#14
Message was sent while issue was closed.
Description was changed from
==========
CSP: Strip reported URLs for 'frame-src' and 'object-src'.
The relaxation that landed in https://codereview.chromium.org/2002943002
was a bit too relaxed, and leaks navigation targets cross-origin for
'frame-src' and 'object-src' violations.
This patch reverts to the old behavior for those two directives.
BUG=633306
==========
to
==========
CSP: Strip reported URLs for 'frame-src' and 'object-src'.
The relaxation that landed in https://codereview.chromium.org/2002943002
was a bit too relaxed, and leaks navigation targets cross-origin for
'frame-src' and 'object-src' violations.
This patch reverts to the old behavior for those two directives.
BUG=633306
Committed: https://crrev.com/94a6ff53682eac87184c1682b63faf6110325174
Cr-Commit-Position: refs/heads/master@{#412809}
==========
commit-bot: I haz the power
Patchset 2 (id:??) landed as https://crrev.com/94a6ff53682eac87184c1682b63faf6110325174 Cr-Commit-Position: refs/heads/master@{#412809}
4 years, 4 months ago
(2016-08-18 13:20:36 UTC)
#15
Issue 2255103002: CSP: Strip reported URLs for 'frame-src' and 'object-src'.
(Closed)
Created 4 years, 4 months ago by Mike West
Modified 4 years, 4 months ago
Reviewers: estark
Base URL: https://chromium.googlesource.com/chromium/src.git@master
Comments: 1
Chromium Code Reviews
Issue
2255103002:
CSP: Strip reported URLs for 'frame-src' and 'object-src'. (Closed)
