Description was changed from ========== CSP: "local schemes" should inherit policy when embedded. https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates ...
Description was changed from
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox.
BUG=513860
R=jochen@chromium.org
==========
to
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org
==========
Dry run: Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_asan_rel_ng/builds/256612)
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/core/dom/Document.cpp File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/core/dom/Document.cpp#newcode5427 third_party/WebKit/Source/core/dom/Document.cpp:5427: // those URLs as 'about:blank' in Blink. So I'm ...
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
File third_party/WebKit/Source/core/dom/Document.cpp (right):
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/dom/Document.cpp:5427: // those URLs as
'about:blank' in Blink.
So I'm not sure what we /should/ do, but some interesting scenarios:
One thing Blink gets wrong is the origin of about:blank: it's supposed to be
inherited from the initiator, not the parent. I do plan on fixing this at some
point; at that point, does it make sense for CSP to inherit from the parent or
the initiator?
Similarly, for blob and filesystem URLs: they could be different origin from the
parent frame, right? So should they be inheriting the CSP from their creator or
their parent?
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/dom/Document.cpp:5431: m_url.protocolIs("blob")
|| m_url.protocolIs("data")) {
I notice filesystem isn't in this list, though it's in the comment.
Mike West
The CQ bit was checked by mkwst@chromium.org to run a CQ dry run
4 years, 1 month ago
(2016-11-18 11:02:57 UTC)
#10
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/core/dom/Document.cpp File third_party/WebKit/Source/core/dom/Document.cpp (right): https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/core/dom/Document.cpp#newcode5427 third_party/WebKit/Source/core/dom/Document.cpp:5427: // those URLs as 'about:blank' in Blink. On 2016/11/04 ...
4 years, 1 month ago
(2016-11-18 11:06:23 UTC)
#12
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
File third_party/WebKit/Source/core/dom/Document.cpp (right):
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/dom/Document.cpp:5427: // those URLs as
'about:blank' in Blink.
On 2016/11/04 at 18:11:28, dcheng wrote:
> So I'm not sure what we /should/ do, but some interesting scenarios:
>
> One thing Blink gets wrong is the origin of about:blank: it's supposed to be
inherited from the initiator, not the parent. I do plan on fixing this at some
point; at that point, does it make sense for CSP to inherit from the parent or
the initiator?
As currently specified, I think we'd end up inheriting from the parent. I think
I agree with your implication that we ought instead inherit from the navigation
initiator.
Today, though, we inherit from neither: that's certainly wrong, and I'd like to
fix it, as it's a fairly straightforward bypass.
> Similarly, for blob and filesystem URLs: they could be different origin from
the parent frame, right?
Can they? I thought we blocked navigation to cross-origin blob:/filesystem:
URLs.
> So should they be inheriting the CSP from their creator or their parent?
Same answer as above.
https://codereview.chromium.org/2472333003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/dom/Document.cpp:5431: m_url.protocolIs("blob")
|| m_url.protocolIs("data")) {
On 2016/11/04 at 18:11:27, dcheng wrote:
> I notice filesystem isn't in this list, though it's in the comment.
I had `data:` twice, though, so that's got to count for something. :)
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
4 years, 1 month ago
(2016-11-18 11:53:18 UTC)
#13
Dry run: Try jobs failed on following builders: mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/338618)
4 years, 1 month ago
(2016-11-18 11:53:19 UTC)
#14
4 years, 1 month ago
(2016-11-18 17:18:42 UTC)
#18
Dry run: This issue passed the CQ dry run.
dcheng
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html File third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html (right): https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html#newcode27 third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html:27: " var i = document.createElement('img');" + A fun hack ...
4 years, 1 month ago
(2016-11-21 10:14:24 UTC)
#19
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html
(right):
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html:27:
" var i = document.createElement('img');" +
A fun hack I've seen is to define the JS as a function and interpolate it like
this:
"data:text/html,<script>(" +
function () {
var i = ...;
} +
")();"</scr" + "ipt>";
Which is kind of nice, because you get actual syntax highlighting (and escaping
is easier). Not really important here, but thought I'd mention it!
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt
(left):
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt:1:
CONSOLE MESSAGE: Blink Test Plugin: initializing
Is this test diff expected? I would have expected this message to still show up,
but perhaps I'm missing something.
Mike West
The CQ bit was checked by mkwst@chromium.org to run a CQ dry run
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html File third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html (right): https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html#newcode27 third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html:27: " var i = document.createElement('img');" + On 2016/11/21 at ...
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html
(right):
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin.html:27:
" var i = document.createElement('img');" +
On 2016/11/21 at 10:14:24, dcheng wrote:
> A fun hack I've seen is to define the JS as a function and interpolate it like
this:
>
> "data:text/html,<script>(" +
> function () {
> var i = ...;
> } +
> ")();"</scr" + "ipt>";
>
> Which is kind of nice, because you get actual syntax highlighting (and
escaping is easier). Not really important here, but thought I'd mention it!
*sigh* JavaScript is SO WEIRD.
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
File
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt
(left):
https://codereview.chromium.org/2472333003/diff/40001/third_party/WebKit/Layo...
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt:1:
CONSOLE MESSAGE: Blink Test Plugin: initializing
On 2016/11/21 at 10:14:24, dcheng wrote:
> Is this test diff expected? I would have expected this message to still show
up, but perhaps I'm missing something.
Sorry, I missed this comment, and was about to hop back into this bug to ping
you!
I typo'd the address; `plugins/` should be `/plugins/`. :)
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
Description was changed from ========== CSP: "local schemes" should inherit policy when embedded. https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates ...
Description was changed from
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org
==========
to
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org, dcheng@chromium.org
==========
Description was changed from ========== CSP: "local schemes" should inherit policy when embedded. https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates ...
Description was changed from
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org, dcheng@chromium.org
==========
to
==========
CSP: "local schemes" should inherit policy when embedded.
https://w3c.github.io/webappsec-csp/#initialize-document-csp mandates
that resources with "local schemes" ('data:', 'blob:', 'filesystem:',
'about:') inherit the policy of their embedding context when pulled in
via an '<iframe>'.
I'm pretty sure this worked at some point in the past, but I apparently
didn't put a test on it. It does work in Firefox. Let's match their
behavior and lock it in.
BUG=513860
R=jochen@chromium.org, dcheng@chromium.org
Committed: https://crrev.com/e82aced182b4fe7ac99437943a7c39238796c1d9
Cr-Commit-Position: refs/heads/master@{#435165}
==========
commit-bot: I haz the power
Patchset 4 (id:??) landed as https://crrev.com/e82aced182b4fe7ac99437943a7c39238796c1d9 Cr-Commit-Position: refs/heads/master@{#435165}
Issue 2472333003: CSP: "local schemes" should inherit policy when embedded.
(Closed)
Created 4 years, 1 month ago by Mike West
Modified 4 years ago
Reviewers: jochen (gone - plz use gerrit), dcheng
Base URL:
Comments: 8