Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 589380 CSP: Experiment with 'strict-dynamic'
Starred by 2 users Project Member Reported by mkwst@chromium.org, Feb 24 2016 Back to list
Status: Fixed
Owner:
OOO (at IETF until 21st)
Closed: Apr 6
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment
Comment 1 by mkwst@chromium.org, Feb 24 2016
Landed most of the feature in https://codereview.chromium.org/1641533006. Working on whitelists now.
Project Member Comment 2 by bugdroid1@chromium.org, Feb 24 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bae07c0c3affe8b06d0c29944c54452776add1aa

commit bae07c0c3affe8b06d0c29944c54452776add1aa
Author: mkwst <mkwst@chromium.org>
Date: Wed Feb 24 10:40:50 2016

CSP3: Disable host-based whitelists in the presence of 'unsafe-dynamic'.

This patch makes `http://host1 nonce-abc 'unsafe-dynamic'` have the same
behavior as `nonce-abc 'unsafe-dynamic'`. Still locked behind the
experimental web platform features flag.

BUG= 589380 
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1730123002

Cr-Commit-Position: refs/heads/master@{#377262}

[add] https://crrev.com/bae07c0c3affe8b06d0c29944c54452776add1aa/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic-whitelist.html
[modify] https://crrev.com/bae07c0c3affe8b06d0c29944c54452776add1aa/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Project Member Comment 4 by bugdroid1@chromium.org, Jun 20 2016
Comment 5 by mkwst@chromium.org, Jun 21 2016
Summary: CSP: Experiment with 'strict-dynamic' (was: CSP: Experiment with 'unsafe-dynamic')
Comment 6 by mkwst@chromium.org, Jun 21 2016
Blockedon: 621812
Project Member Comment 7 by bugdroid1@chromium.org, Jun 21 2016
Labels: merge-merged-2743
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1b3b9e0380264545ef824509be6ccbf87e3397eb

commit 1b3b9e0380264545ef824509be6ccbf87e3397eb
Author: Mike West <mkwst@google.com>
Date: Tue Jun 21 10:58:55 2016

Rename 'unsafe-dynamic' to 'strict-dynamic'

In line with the spec change and discussion on WebAppSec:
https://github.com/w3c/webappsec-csp/commit/3476890664ada8efe2122301e6a4901cb12b520e

BUG= 589380 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2082613002
Cr-Commit-Position: refs/heads/master@{#400763}
(cherry picked from commit b38a96dd8b5e1deb3d4de631f002630c8735eb00)

Review URL: https://codereview.chromium.org/2083983002 .

Cr-Commit-Position: refs/branch-heads/2743@{#425}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[rename] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-whitelist.html
[rename] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic.html
[modify] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
[modify] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/Source/core/frame/csp/CSPSourceList.h
[modify] https://crrev.com/1b3b9e0380264545ef824509be6ccbf87e3397eb/third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp

Labels: Needs-Feedback
mkwst@, can this be tested manually so that we can verify the fix at our end ?
If so, please let us know the steps to verify this issue.
Status: Fixed
This landed a while ago, just closing the bug now.
Sign in to add a comment