Issue 2267653003: CSP: Strip reported URLs for 'frame-src' and 'object-src'.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 2267653003: CSP: Strip reported URLs for 'frame-src' and 'object-src'. (Closed)

Created:
4 years, 4 months ago by Mike West

Modified:
4 years, 4 months ago

Reviewers:

CC:
chromium-reviews

Base URL:
https://chromium.googlesource.com/chromium/src.git@2785

Target Ref:
refs/pending/branch-heads/2785

Project:
chromium

Visibility:
Public.

More Reviews

Description

CSP: Strip reported URLs for 'frame-src' and 'object-src'. The relaxation that landed in https://codereview.chromium.org/2002943002 was a bit too relaxed, and leaks navigation targets cross-origin for 'frame-src' and 'object-src' violations. This patch reverts to the old behavior for those two directives. BUG=633306 Review-Url: https://codereview.chromium.org/2255103002 Cr-Commit-Position: refs/heads/master@{#412809} (cherry picked from commit 94a6ff53682eac87184c1682b63faf6110325174)

Patch Set 1 #

Created: 4 years, 4 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+92 lines, -41 lines)			Patch
M	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html	View	1 chunk	+24 lines, -3 lines	0 comments	Download
D	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt	View	1 chunk	+0 lines, -3 lines	0 comments	Download
M	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html	View	1 chunk	+28 lines, -17 lines	0 comments	Download
D	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin-expected.txt	View	1 chunk	+0 lines, -8 lines	0 comments	Download
M	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked.html	View	1 chunk	+24 lines, -3 lines	0 comments	Download
D	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-redirect-blocked-expected.txt	View	1 chunk	+0 lines, -3 lines	0 comments	Download
M	third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/target-for-frame-that-navigates-itself.html	View	1 chunk	+3 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp	View	3 chunks	+13 lines, -4 lines	0 comments	Download

Messages

Total messages: 1 (0 generated)

Expand Messages | Collapse Messages

Mike West

4 years, 4 months ago (2016-08-22 07:50:40 UTC) #1

Message was sent while issue was closed.

Committed patchset #1 (id:1) to pending queue manually as
221bd49400935b9042af51a9d729c0b17e1f98a2.

Expand Messages | Collapse Messages