New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 594645 link

Starred by 1 user
Status: Fixed
Owner:
est...@chromium.org
Closed: Apr 2016
Cc:
mkwst@chromium.org
alex...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Stop supporting CSP sandbox directive in meta-tag delivered policies

Project Member Reported by est...@chromium.org, Mar 14 2016 
ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext() currently doesn't distinguish <meta>-delivered policies from header-delivered policies, so in the case of a dynamically-added policy that specifies a sandbox directive, the page's origin can be updated after commit. This is weird, and according to https://www.w3.org/TR/CSP2/#delivery-html-meta-element, sandbox directives should be ignored in policies delivered via meta tags. We should strip out sandbox directives so that a page's origin can't be changed by a meta tag after commit.

Comment 1 by alex...@chromium.org, Mar 15 2016 

The spec also says that report-uri and frame-ancestors directives are not supposed to be supported in CSP meta tags.  Perhaps we can go one step further and rip all three out?  Mike, is there any reason why we'd want to keep support for any of these things?
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 5 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a

commit f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a
Author: estark <estark@chromium.org>
Date: Tue Apr 05 17:05:58 2016

Stop supporting invalid CSP directives in meta tags

https://www.w3.org/TR/CSP2/#delivery-html-meta-element says that
frame-ancestors, sandbox, and report-uri should be discarded when
parsing Content Security Policies delivered in meta elements. This CL
changes CSPDirectiveList to discard such directives, log to the console
upon encountering them, and increment a UseCounter so we can see if this
breaks the web badly.

A bunch of layout tests used meta elements to set report-uris, so this
CL also updates these tests to deliver their CSPs in headers instead.

BUG= 594645 

Review URL: https://codereview.chromium.org/1835463002

Cr-Commit-Position: refs/heads/master@{#385199}

[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/navigation/pushstate-at-unique-origin-denied.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/navigation/pushstate-whitelisted-at-unique-origin-denied.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.php
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/invalid-meta-directives-expected.txt
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/invalid-meta-directives.html
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.php
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html
[add] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/xmlhttprequest-protected-resource-does-not-crash.html
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/sandbox-iframe-allows-modals.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/sandbox-iframe-blocks-modals.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/sandbox-inherit-to-blank-document-unsandboxed-navigate.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/sandbox-inherit-to-blank-document-unsandboxed.php
[rename] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/security/sandbox-inherit-to-blank-document.php
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/LayoutTests/http/tests/serviceworker/ServiceWorkerGlobalScope/extendable-message-event.html
[delete] https://crrev.com/f2979127c4951011a74f00fab8fdff94d87952de/third_party/WebKit/LayoutTests/http/tests/serviceworker/ServiceWorkerGlobalScope/resources/extendable-message-event-sandboxed-iframe.html
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/f5c8a2b4ed6b3a3cb3bd148f5ede561419b1e40a/tools/metrics/histograms/histograms.xml

Comment 3 by est...@chromium.org, Apr 5 2016

Labels: M-51
Status: Fixed (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4cb0660612a54a4dbdf5c18cdec3afc0d8661009

commit 4cb0660612a54a4dbdf5c18cdec3afc0d8661009
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Sat Dec 02 02:39:44 2017

Remove FrameHostMsg_UpdateToUniqueOrigin IPC

According to TODO comments, it can be removed as  Issue 594645 
was already closed as fixed.

Bug:  594645 ,  779730 
Change-Id: I2e7c2722023624d580a4f300c4aa520f2be895ab
Reviewed-on: https://chromium-review.googlesource.com/794016
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521185}
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/content/common/frame_messages.h
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/content/renderer/render_frame_impl.h
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.h
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/third_party/WebKit/Source/core/frame/LocalFrameClient.h
[modify] https://crrev.com/4cb0660612a54a4dbdf5c18cdec3afc0d8661009/third_party/WebKit/public/web/WebFrameClient.h

Sign in to add a comment