Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(115)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies. (Closed)

Created:
4 years, 2 months ago by Mike West
Modified:
4 years, 2 months ago
CC:
blink-reviews, blink-reviews-dom_chromium.org, blink-reviews-html_chromium.org, blink-worker-reviews_chromium.org, chromium-reviews, dglazkov+blink, eae+blinkwatch, falken, gavinp+loader_chromium.org, horo+watch_chromium.org, Nate Chapin, kinuko+worker_chromium.org, kinuko+watch, loading-reviews+parser_chromium.org, loading-reviews_chromium.org, loading-reviews+fetch_chromium.org, rwlbuis, shimazu+worker_chromium.org, sof, tyoshino+watch_chromium.org, Yoav Weiss
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

CSP: Fix 'strict-dynamic' with multiple policies. The checks we wrote for 'strict-dynamic' fail to allow dynamically- injected scripts if more than one policy is present. This patch addresses that by delegating the dynamic check to 'ContentSecurityPolicy' (rather than bypassing CSP entirely from 'ScriptLoader'). Most of the patch is just piping the "Was this parser-inserted?" bit from 'ScriptLoader::fetchScript' to 'CSPDirectiveList::allowScriptFromSource'. to another. BUG=653511 Committed: https://crrev.com/cbb622f22b8e8c42e509fa7e1229382ceb0b0b14 Cr-Commit-Position: refs/heads/master@{#423557}

Patch Set 1 #

Total comments: 2

Patch Set 2 : Tests compile. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+232 lines, -348 lines) Patch
D third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic.html View 1 chunk +0 lines, -170 lines 0 comments Download
D third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-whitelist.html View 1 chunk +0 lines, -52 lines 0 comments Download
A + third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic/script-src-multiple-allowed.php View 7 chunks +9 lines, -7 lines 0 comments Download
A + third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic/script-src-strict-dynamic.html View 0 chunks +-1 lines, --1 lines 0 comments Download
A + third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic/script-src-strict-dynamic-whitelist.html View 0 chunks +-1 lines, --1 lines 0 comments Download
M third_party/WebKit/Source/core/dom/ScriptLoader.cpp View 1 3 chunks +11 lines, -16 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/FetchRequest.h View 1 chunk +4 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h View 7 chunks +13 lines, -3 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h View 1 2 chunks +2 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp View 1 2 chunks +6 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp View 1 6 chunks +6 lines, -6 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h View 1 4 chunks +3 lines, -1 line 0 comments Download
M third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp View 1 8 chunks +65 lines, -17 lines 0 comments Download
M third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp View 1 19 chunks +109 lines, -74 lines 0 comments Download
M third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/loader/FrameFetchContext.cpp View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/Source/core/loader/HttpEquiv.cpp View 1 2 chunks +2 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp View 1 chunk +2 lines, -1 line 0 comments Download

Messages

Total messages: 19 (10 generated)
Mike West
This needs more tests, but WDYT about the direction?
4 years, 2 months ago (2016-10-06 13:07:34 UTC) #4
mikispag
On 2016/10/06 13:07:34, Mike West wrote: > This needs more tests, but WDYT about the ...
4 years, 2 months ago (2016-10-06 13:45:37 UTC) #7
jochen (gone - plz use gerrit)
yeah, looks reasonable https://codereview.chromium.org/2401573003/diff/1/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h File third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h (right): https://codereview.chromium.org/2401573003/diff/1/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h#newcode72 third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h:72: enum ParserDisposition { ParserInserted, NotParserInserted }; ...
4 years, 2 months ago (2016-10-06 14:00:08 UTC) #8
Mike West
> On 2016/10/06 13:07:34, Mike West wrote: > Please test it on https://poc.miki.it/strict-dynamic-tests/ . Please ...
4 years, 2 months ago (2016-10-06 14:37:24 UTC) #9
Mike West
Ok, looks better now. This passes the tests at https://poc.miki.it/strict-dynamic-tests/, with the exception of https://poc.miki.it/strict-dynamic-tests/strict-dynamic-double-enforcing-with-whitelist.php, ...
4 years, 2 months ago (2016-10-06 14:47:15 UTC) #12
jochen (gone - plz use gerrit)
lgtm
4 years, 2 months ago (2016-10-06 14:50:35 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2401573003/20001
4 years, 2 months ago (2016-10-06 16:07:06 UTC) #16
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 2 months ago (2016-10-06 16:23:47 UTC) #17
commit-bot: I haz the power
4 years, 2 months ago (2016-10-06 16:25:24 UTC) #19
Message was sent while issue was closed. 
Patchset 2 (id:??) landed as
https://crrev.com/cbb622f22b8e8c42e509fa7e1229382ceb0b0b14
Cr-Commit-Position: refs/heads/master@{#423557}

Powered by Google App Engine
This is Rietveld 408576698