Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(18)

Issue 2792013002: Stop CSP from matching independent scheme/port upgrades (content layer) (Closed)

Created:
3 years, 8 months ago by andypaicu
Modified:
3 years, 8 months ago
CC:
chromium-reviews, darin-cc_chromium.org, jam
Target Ref:
refs/heads/master
Project:
chromium
Visibility:
Public.

Description

Stop CSP from matching independent scheme/port upgrades (content layer) Made the changes necessary in content to mimic the behaviour of https://codereview.chromium.org/2708873002 Copied from there: "Content-Security-Policy allows an url to match a source-expression even if the scheme or the port doesn't matches, but in this case it must be an upgrade to a more secure scheme(http->https) and more secure port(80->443). The problem is that it happens independently, so it is allowed to have an upgrade of the port without the scheme (http over 443) or an upgrade of the scheme without the port (https over 80). This is a change to force the upgrade to be both over port and scheme." BUG=692499, 692442 Review-Url: https://codereview.chromium.org/2792013002 Cr-Commit-Position: refs/heads/master@{#463570} Committed: https://chromium.googlesource.com/chromium/src/+/76108c2bf3ad1a4bac901ad99230f58faf87bc4b

Patch Set 1 #

Total comments: 25

Patch Set 2 : CR changes #

Patch Set 3 : Format changes #

Unified diffs Side-by-side diffs Delta from patch set Stats (+113 lines, -36 lines) Patch
M content/common/content_security_policy/csp_context.h View 1 1 chunk +2 lines, -1 line 0 comments Download
M content/common/content_security_policy/csp_context.cc View 2 1 chunk +5 lines, -3 lines 0 comments Download
M content/common/content_security_policy/csp_source.cc View 1 2 4 chunks +87 lines, -22 lines 0 comments Download
M content/common/content_security_policy/csp_source_list.cc View 1 1 chunk +1 line, -1 line 0 comments Download
M content/common/content_security_policy/csp_source_unittest.cc View 1 5 chunks +18 lines, -9 lines 0 comments Download

Messages

Total messages: 46 (22 generated)
andypaicu
Hi Arthur, As discussed over e-mail: here is a code review for two of the ...
3 years, 8 months ago (2017-04-03 14:41:12 UTC) #5
arthursonzogni
On 2017/04/03 14:41:12, andypaicu wrote: > Hi Arthur, > > As discussed over e-mail: here ...
3 years, 8 months ago (2017-04-04 09:00:24 UTC) #9
andypaicu
On 2017/04/04 at 09:00:24, arthursonzogni wrote: > On 2017/04/03 14:41:12, andypaicu wrote: > > Hi ...
3 years, 8 months ago (2017-04-04 09:26:43 UTC) #10
arthursonzogni
Hi Andy, Here is the example I was talking about: https://codereview.chromium.org/2797183002 Andy & Mike, please ...
3 years, 8 months ago (2017-04-05 12:14:55 UTC) #11
andypaicu
Hi Arthur, This is a good example and it only needs a tiny improvement Consider ...
3 years, 8 months ago (2017-04-06 09:05:51 UTC) #12
Mike West
This change LGTM once arthursonzogni@ is happy. I'd like to see a layout test that ...
3 years, 8 months ago (2017-04-06 10:28:40 UTC) #13
arthursonzogni
On 2017/04/06 09:05:51, andypaicu wrote: > Hi Arthur, > > This is a good example ...
3 years, 8 months ago (2017-04-06 15:05:00 UTC) #14
andypaicu
On 2017/04/06 at 15:05:00, arthursonzogni wrote: > On 2017/04/06 09:05:51, andypaicu wrote: > > Hi ...
3 years, 8 months ago (2017-04-06 15:43:59 UTC) #15
arthursonzogni
On 2017/04/06 15:43:59, andypaicu wrote: > On 2017/04/06 at 15:05:00, arthursonzogni wrote: > > On ...
3 years, 8 months ago (2017-04-06 15:57:52 UTC) #16
Mike West
I talked with Andy briefly about this this morning: The central motivation for allowing upgrades ...
3 years, 8 months ago (2017-04-07 07:20:28 UTC) #17
arthursonzogni
On 2017/04/07 07:20:28, Mike West (OOO until 4th) wrote: > I talked with Andy briefly ...
3 years, 8 months ago (2017-04-07 09:20:27 UTC) #18
andypaicu
https://codereview.chromium.org/2792013002/diff/1/content/common/content_security_policy/csp_source.cc File content/common/content_security_policy/csp_source.cc (right): https://codereview.chromium.org/2792013002/diff/1/content/common/content_security_policy/csp_source.cc#newcode43 content/common/content_security_policy/csp_source.cc:43: url.SchemeIs(url::kHttpsScheme)) || On 2017/04/07 at 09:20:27, arthursonzogni wrote: > ...
3 years, 8 months ago (2017-04-07 11:34:24 UTC) #21
arthursonzogni
Thanks LGTM!
3 years, 8 months ago (2017-04-10 09:00:33 UTC) #24
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2792013002/20001
3 years, 8 months ago (2017-04-10 09:07:52 UTC) #27
commit-bot: I haz the power
Try jobs failed on following builders: chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/406604)
3 years, 8 months ago (2017-04-10 09:13:56 UTC) #29
arthursonzogni
On 2017/04/10 09:13:56, commit-bot: I haz the power wrote: > Try jobs failed on following ...
3 years, 8 months ago (2017-04-10 09:22:25 UTC) #30
arthursonzogni
On 2017/04/10 09:22:25, arthursonzogni wrote: > On 2017/04/10 09:13:56, commit-bot: I haz the power wrote: ...
3 years, 8 months ago (2017-04-10 09:24:00 UTC) #31
andypaicu
On 2017/04/10 at 09:24:00, arthursonzogni wrote: > On 2017/04/10 09:22:25, arthursonzogni wrote: > > On ...
3 years, 8 months ago (2017-04-10 10:06:23 UTC) #34
arthursonzogni
On 2017/04/10 10:06:23, andypaicu wrote: > On 2017/04/10 at 09:24:00, arthursonzogni wrote: > > On ...
3 years, 8 months ago (2017-04-10 11:52:38 UTC) #35
jochen (gone - plz use gerrit)
Mike, can you add yourself as owner for that dir? lgtm..
3 years, 8 months ago (2017-04-10 12:51:26 UTC) #36
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2792013002/40001
3 years, 8 months ago (2017-04-10 13:37:34 UTC) #39
commit-bot: I haz the power
Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_ozone_rel_ng/builds/358519)
3 years, 8 months ago (2017-04-10 14:31:43 UTC) #41
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2792013002/40001
3 years, 8 months ago (2017-04-11 07:58:05 UTC) #43
commit-bot: I haz the power
3 years, 8 months ago (2017-04-11 08:04:51 UTC) #46
Message was sent while issue was closed.
Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/chromium/src/+/76108c2bf3ad1a4bac901ad99230...

Powered by Google App Engine
This is Rietveld 408576698