New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 613956 link

Starred by 1 user

Issue metadata

Status: Started
Owner:
Buried. Ping if important.
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature



Sign in to add a comment

'block-all-mixed-content' and 'upgrade-insecure-requests' violation reports.

Project Member Reported by mkwst@chromium.org, May 23 2016

Issue description

As of https://github.com/w3c/webappsec-mixed-content/commit/e9c559c6672e3219a0c1f6f4f7c5c187f3d51377, 'block-all-mixed-content' generates violation reports. Chrome should implement.
 
Project Member

Comment 2 by bugdroid1@chromium.org, May 26 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b74280c04ed4eeee89c9da257c4cee86afdfd1d

commit 8b74280c04ed4eeee89c9da257c4cee86afdfd1d
Author: mkwst <mkwst@chromium.org>
Date: Thu May 26 10:52:17 2016

Generate CSP violation reports for 'block-all-mixed-content'

As of https://github.com/w3c/webappsec-mixed-content/commit/e9c559c6672e3219a0c1f6f4f7c5c187f3d51377,
'block-all-mixed-content' generates violation reports. This patch implements that functionality.

BUG=613956

Review-Url: https://codereview.chromium.org/2002003002
Cr-Commit-Position: refs/heads/master@{#396155}

[delete] https://crrev.com/9a1916358318e35f8045864784dc757bfb617eee/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https-expected.txt
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
[add] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-no-policy.https.html
[add] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/8b74280c04ed4eeee89c9da257c4cee86afdfd1d/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp

Hey Mike, 

What would the value of violated-directive be in this scenario? 

Can we expect to see things like default-src/script-src or block-all-mixed-content? 

Cheers!

Comment 4 by mkwst@chromium.org, May 30 2016

Summary: 'block-all-mixed-content' and 'upgrade-insecure-requests' violation reports. (was: 'block-all-mixed-content' violation reports.)
> What would the value of violated-directive be in this scenario?

`block-all-mixed-content`

I plan to add something similar for 'upgrade-insecure-requests' shortly.

Comment 5 by rbyers@chromium.org, Nov 18 2016

Components: Blink>SecurityFeature

Comment 6 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 7 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment