Disable Content-Security-Policy-Report-Only in meta elements |
|||
Issue descriptionReport-Only mode isn't allowed in <meta> tags per CSP 1.1, but we only enforce that when experimental CSP features are enabled. There used to be a UseCounter for report-only in meta, but it got dropped (not clear whether intentionally or unintentionally) in https://chromium.googlesource.com/chromium/src/+/e9932e628fc3055c1f7c0980819d3601adfded24 Presumably we should do one of the following things: - Add the use counter back in to decide whether we can take this out of experimental mode and remove support for real. - Dig up institutional memory that remembers that the numbers were low enough back in 2014 that we can just remove support for report-only in meta elements. - Decide that we can't remove support and remove this code path all together.
,
Apr 5 2016
I think we can simply remove it. It's against spec, Firefox doesn't support it, and Edge doesn't support it. WebKit probably does, but we should align with the spec.
,
Apr 5 2016
Sounds good, thanks. I'll do this once I finish removing support for the invalid directives in meta elements.
,
Apr 5 2016
,
Apr 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9f6871d833bca118dfa14d2888afb55e390a90e1 commit 9f6871d833bca118dfa14d2888afb55e390a90e1 Author: estark <estark@chromium.org> Date: Wed Apr 06 09:29:15 2016 Stop supporting CSP-Report-Only in meta elements Report-Only mode isn't allowed in <meta> elements per CSP 1.1, and neither Firefox nor Edge supports it. This CL drops support and updates layout tests that were relying on it. BUG= 600513 Review URL: https://codereview.chromium.org/1860193002 Cr-Commit-Position: refs/heads/master@{#385419} [modify] https://crrev.com/9f6871d833bca118dfa14d2888afb55e390a90e1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php [add] https://crrev.com/9f6871d833bca118dfa14d2888afb55e390a90e1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-in-meta-expected.txt [add] https://crrev.com/9f6871d833bca118dfa14d2888afb55e390a90e1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-in-meta.html [modify] https://crrev.com/9f6871d833bca118dfa14d2888afb55e390a90e1/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
,
Apr 6 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by est...@chromium.org
, Apr 4 2016