Issue 2797183002: CSP: Allow secure upgrade from an explicitly insecure expression.

Issue 2797183002: CSP: Allow secure upgrade from an explicitly insecure expression. (Closed)

Created:
3 years, 8 months ago by arthursonzogni

Modified:
3 years, 8 months ago

Reviewers:

CC:
chromium-reviews, darin-cc_chromium.org, jam, andypaicu

Target Ref:
refs/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

CSP: Allow secure upgrade from an explicitly insecure expression. This CL is a suggestion on: https://codereview.chromium.org/2792013002/ --- Content-Security-Policy allows an url to match a source-expression even if the scheme or the port doesn't matches, but in this case it must be an upgrade to a more secure scheme(http->https) and more secure port(80->443). The problem is that it happens independently, so it is allowed to have an upgrade of the port without the scheme (http over 443) or an upgrade of the scheme without the port (https over 80). This is a change to force the upgrade to be both over port and scheme. --- BUG=692499, 692442

Patch Set 1 #

Created: 3 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+81 lines, -39 lines)			Patch
M	content/common/content_security_policy/csp_context.h	View	1 chunk	+2 lines, -1 line	0 comments	Download
M	content/common/content_security_policy/csp_context.cc	View	1 chunk	+5 lines, -3 lines	0 comments	Download
M	content/common/content_security_policy/csp_source.cc	View	4 chunks	+54 lines, -22 lines	0 comments	Download
M	content/common/content_security_policy/csp_source_list.cc	View	1 chunk	+1 line, -1 line	0 comments	Download
M	content/common/content_security_policy/csp_source_unittest.cc	View	6 chunks	+19 lines, -12 lines	0 comments	Download

Messages

Total messages: 4 (3 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

arthursonzogni

3 years, 8 months ago (2017-04-10 11:53:26 UTC) #4

Description was changed from

==========
CSP: Allow secure upgrade from an explicitly insecure expression.

This CL is a suggestion on:
https://codereview.chromium.org/2792013002/

---
Content-Security-Policy allows an url to match a source-expression even
if the scheme or the port doesn't matches, but in this case it must be
an upgrade to a more secure scheme(http->https) and more secure
port(80->443).  The problem is that it happens independently, so it is
allowed to have an upgrade of the port without the scheme (http over
443) or an upgrade of the scheme without the port (https over 80).

This is a change to force the upgrade to be both over port and scheme.
---

BUG=692499, 692442
==========

to

==========
CSP: Allow secure upgrade from an explicitly insecure expression.

This CL is a suggestion on:
https://codereview.chromium.org/2792013002/

---
Content-Security-Policy allows an url to match a source-expression even
if the scheme or the port doesn't matches, but in this case it must be
an upgrade to a more secure scheme(http->https) and more secure
port(80->443).  The problem is that it happens independently, so it is
allowed to have an upgrade of the port without the scheme (http over
443) or an upgrade of the scheme without the port (https over 80).

This is a change to force the upgrade to be both over port and scheme.
---

BUG=692499, 692442
==========

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages