New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 589380 link

Starred by 3 users

Issue metadata

Status: Fixed
OOO until 4th
Closed: Apr 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Sign in to add a comment

CSP: Experiment with 'strict-dynamic'

Project Member Reported by, Feb 24 2016

Issue description

Comment 1 by, Feb 24 2016

Landed most of the feature in Working on whitelists now.
Project Member

Comment 2 by, Feb 24 2016

The following revision refers to this bug:

commit bae07c0c3affe8b06d0c29944c54452776add1aa
Author: mkwst <>
Date: Wed Feb 24 10:40:50 2016

CSP3: Disable host-based whitelists in the presence of 'unsafe-dynamic'.

This patch makes `http://host1 nonce-abc 'unsafe-dynamic'` have the same
behavior as `nonce-abc 'unsafe-dynamic'`. Still locked behind the
experimental web platform features flag.

BUG= 589380

Review URL:

Cr-Commit-Position: refs/heads/master@{#377262}


Project Member

Comment 4 by, Jun 20 2016

Comment 5 by, Jun 21 2016

Summary: CSP: Experiment with 'strict-dynamic' (was: CSP: Experiment with 'unsafe-dynamic')

Comment 6 by, Jun 21 2016

Blockedon: 621812
Project Member

Comment 7 by, Jun 21 2016

Labels: merge-merged-2743
The following revision refers to this bug:

commit 1b3b9e0380264545ef824509be6ccbf87e3397eb
Author: Mike West <>
Date: Tue Jun 21 10:58:55 2016

Rename 'unsafe-dynamic' to 'strict-dynamic'

In line with the spec change and discussion on WebAppSec:

BUG= 589380

Cr-Commit-Position: refs/heads/master@{#400763}
(cherry picked from commit b38a96dd8b5e1deb3d4de631f002630c8735eb00)

Review URL: .

Cr-Commit-Position: refs/branch-heads/2743@{#425}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}


Labels: Needs-Feedback
mkwst@, can this be tested manually so that we can verify the fix at our end ?
If so, please let us know the steps to verify this issue.
Status: Fixed (was: Started)
This landed a while ago, just closing the bug now.

Sign in to add a comment