Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 12 users
Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug


Sign in to add a comment
CSP 1.1: Get Blink up to spec.
Project Member Reported by mkwst@chromium.org, Jan 17 2014 Back to list
I would like Blink to implement all of CSP 1.1 while we drive the spec to LCWD. I'll collect the missing bits here.
 
Project Member Comment 1 by bugdroid1@chromium.org, Jan 17 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165317

------------------------------------------------------------------------
r165317 | mkwst@chromium.org | 2014-01-17T16:03:03.466999Z

Changed paths:
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/core.gypi?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle.html?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/virtual/stable/webexposed/global-constructors-listing-expected.txt?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/webexposed/global-constructors-listing-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/DOMSecurityPolicy.h?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi-expected.txt?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.h?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive-expected.txt?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/DOMSecurityPolicy.cpp?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.idl?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom-expected.txt?r1=165317&r2=165316&pathrev=165317
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.cpp?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/SecurityPolicy.idl?r1=165317&r2=165316&pathrev=165317
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom-expected.txt?r1=165317&r2=165316&pathrev=165317

CSP 1.1: Remove the 'SecurityPolicy' interface.

We're dropping the script interface from CSP 1.1 until we can get it right.
Aligning Blink with that decision.

This should have zero web-visible effect, as the feature is still locked
behind the experimental web features flag.

Thread: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0001.html
Change: https://github.com/w3c/webappsec/commit/18882953ce2d8afca25f685557fef0e0471b2c9a

BUG= 335489 

Review URL: https://codereview.chromium.org/132613003
------------------------------------------------------------------------
Project Member Comment 3 by bugdroid1@chromium.org, Jan 20 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165392

------------------------------------------------------------------------
r165392 | mkwst@chromium.org | 2014-01-20T09:10:43.934098Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html?r1=165392&r2=165391&pathrev=165392
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165392&r2=165391&pathrev=165392
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-expected.txt?r1=165392&r2=165391&pathrev=165392
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165392&r2=165391&pathrev=165392
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed-expected.txt?r1=165392&r2=165391&pathrev=165392
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html?r1=165392&r2=165391&pathrev=165392
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/StyleElement.cpp?r1=165392&r2=165391&pathrev=165392

CSP 1.1: Apply hashes to style elements.

Currently we allow hashes only in 'script-src' directives. This patch
adds support for whitelisting hashed inline styles via 'style-src'.

BUG= 335489 
NOTRY=true

Review URL: https://codereview.chromium.org/138033019
------------------------------------------------------------------------
Project Member Comment 4 by bugdroid1@chromium.org, Jan 20 2014
Comment 5 by mkwst@chromium.org, Jan 20 2014
Blockedon: chromium:309551 chromium:327139
Blocking on 309551, and jww's 327139 and 327826.
Comment 6 by mkwst@chromium.org, Jan 20 2014
Blockedon: chromium:327826
Project Member Comment 7 by bugdroid1@chromium.org, Jan 21 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165446

------------------------------------------------------------------------
r165446 | mkwst@chromium.org | 2014-01-21T10:12:57.043585Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/testing/InternalSettings.idl?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/testing/InternalSettings.cpp?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/report-test.js?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/testing/InternalSettings.h?r1=165446&r2=165445&pathrev=165446
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html?r1=165446&r2=165445&pathrev=165446

CSP: Add a mechanism to disable CSP 1.1 for layout tests.

In order to test some changes to report-only for CSP 1.1, we need a
mechanism by which we can disable 1.1 when running layout tests. This
patch adds a flag to 'window.internal.settings', and toggles it off for
report-only tests. This changes the result by removing the
'effective-directive' attribute from the report JSON, which was first
added in 1.1.

BUG= 335489 

Review URL: https://codereview.chromium.org/131103003
------------------------------------------------------------------------
Comment 8 by mkwst@chromium.org, Jan 21 2014
Blockedon: chromium:332283
Comment 9 by mkwst@chromium.org, Jan 21 2014
Blockedon: chromium:336413
Comment 10 by mkwst@chromium.org, Jan 22 2014
Blockedon: chromium:129139
Project Member Comment 11 by bugdroid1@chromium.org, Jan 22 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165522

------------------------------------------------------------------------
r165522 | mkwst@chromium.org | 2014-01-22T11:52:40.084942Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.h?r1=165522&r2=165521&pathrev=165522
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165522&r2=165521&pathrev=165522
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html?r1=165522&r2=165521&pathrev=165522
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.cpp?r1=165522&r2=165521&pathrev=165522
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/WorkerGlobalScope.cpp?r1=165522&r2=165521&pathrev=165522
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165522&r2=165521&pathrev=165522
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt?r1=165522&r2=165521&pathrev=165522

CSP 1.1: Ignore report-only inside <meta>.

This patch pipes the source of a policy through to the CSPDirectiveList,
and uses that information to ignore report-only policies which were
delivered via <meta>. A future CL will also ignore 'report-uri' inside
<meta>, which is why we need to pipe this to the directive list, and not
just to the policy object itself.

Spec: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#html-meta-element
BUG= 335489 

Review URL: https://codereview.chromium.org/143113003
------------------------------------------------------------------------
Comment 12 by mkwst@chromium.org, Jan 22 2014
Blockedon: chromium:336788
Project Member Comment 13 by bugdroid1@chromium.org, Jan 23 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165629

------------------------------------------------------------------------
r165629 | mkwst@chromium.org | 2014-01-23T11:17:28.990438Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-in-frame.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block.html?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-url-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-crossorigin.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-star-allow.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-star-allow-sameorigin-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors.pl?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-url-block.html?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-star-allow-expected.txt?r1=165629&r2=165628&pathrev=165629
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.h?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt?r1=165629&r2=165628&pathrev=165629
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-url-block-expected.txt?r1=165629&r2=165628&pathrev=165629

CSP 1.1: Implement the 'frame-ancestors' directive.

As defined at [1]. This patch will have no web-visible impact, as the directive
remains trapped behind the runtime flag that's governing all CSP 1.1 hotness.

[1]: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#frame-ancestors
BUG= 129139 , 335489 

Review URL: https://codereview.chromium.org/91353002
------------------------------------------------------------------------
Comment 14 by mkwst@chromium.org, Jan 29 2014
Blockedon: chromium:339110
Labels: Cr-Blink-CSP
Blockedon: chromium:326806
Project Member Comment 16 by bugdroid1@chromium.org, Feb 7 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=166703

------------------------------------------------------------------------
r166703 | mkwst@chromium.org | 2014-02-07T12:14:24.554586Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicyResponseHeaders.cpp?r1=166703&r2=166702&pathrev=166703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/prefixed-header-deprecation-warning-expected.txt?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/inspector/console/only-one-deprecation-warning-expected.txt?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.h?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicy.cpp?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/ContentSecurityPolicyResponseHeaders.h?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.cpp?r1=166703&r2=166702&pathrev=166703
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/prefixed-header-deprecation-warning.html?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/inspector/console/only-one-deprecation-warning.html?r1=166703&r2=166702&pathrev=166703
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/UseCounter.cpp?r1=166703&r2=166702&pathrev=166703

CSP 1.1: Remove last bits of 'X-WebKit-CSP'.

We deprecated these prefixed headers in M32. Let's get rid of them entirely.

BUG= 335489 ,307404

Review URL: https://codereview.chromium.org/149953007
------------------------------------------------------------------------
Project Member Comment 17 by bugdroid1@chromium.org, Feb 14 2014
Labels: -Cr-Blink
Removing Cr-Blink from issues that already have Cr-Blink sub-label set.
Comment 19 by tkent@chromium.org, Feb 19 2016
Components: -Blink>CSP Blink>SecurityFeature
Comment 20 by mkwst@chromium.org, Feb 23 2017
Status: Fixed
Sign in to add a comment