Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Closed: Apr 6
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Sign in to add a comment
CSP: Experiment with 'strict-dynamic'
Project Member Reported by, Feb 24 2016 Back to list
Comment 1 by, Feb 24 2016
Landed most of the feature in Working on whitelists now.
Project Member Comment 2 by, Feb 24 2016
The following revision refers to this bug:

commit bae07c0c3affe8b06d0c29944c54452776add1aa
Author: mkwst <>
Date: Wed Feb 24 10:40:50 2016

CSP3: Disable host-based whitelists in the presence of 'unsafe-dynamic'.

This patch makes `http://host1 nonce-abc 'unsafe-dynamic'` have the same
behavior as `nonce-abc 'unsafe-dynamic'`. Still locked behind the
experimental web platform features flag.

BUG= 589380

Review URL:

Cr-Commit-Position: refs/heads/master@{#377262}


Project Member Comment 4 by, Jun 20 2016
Comment 5 by, Jun 21 2016
Summary: CSP: Experiment with 'strict-dynamic' (was: CSP: Experiment with 'unsafe-dynamic')
Comment 6 by, Jun 21 2016
Blockedon: 621812
Project Member Comment 7 by, Jun 21 2016
Labels: merge-merged-2743
The following revision refers to this bug:

commit 1b3b9e0380264545ef824509be6ccbf87e3397eb
Author: Mike West <>
Date: Tue Jun 21 10:58:55 2016

Rename 'unsafe-dynamic' to 'strict-dynamic'

In line with the spec change and discussion on WebAppSec:

BUG= 589380

Cr-Commit-Position: refs/heads/master@{#400763}
(cherry picked from commit b38a96dd8b5e1deb3d4de631f002630c8735eb00)

Review URL: .

Cr-Commit-Position: refs/branch-heads/2743@{#425}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}


Labels: Needs-Feedback
mkwst@, can this be tested manually so that we can verify the fix at our end ?
If so, please let us know the steps to verify this issue.
Status: Fixed
This landed a while ago, just closing the bug now.
Sign in to add a comment