New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617065 link

Starred by 1 user
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Aug 2017
Cc:
mkwst@chromium.org
jww@chromium.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Hashes in 'report-only' don't report.

Project Member Reported by mkwst@chromium.org, Jun 3 2016 
We should follow up on https://codereview.chromium.org/2020223002 by refactoring hash support such that report-only and enforce mode correctly allow/report matching blocks.
Project Member

Comment 1 by sheriffbot@chromium.org, Jun 5 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 2 by mkwst@chromium.org, Jun 19 2017

Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Labels: -Hotlist-Recharge-Cold OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Available (was: Untriaged)
Still a bug. Still need to address it.

Comment 3 by andypaicu@chromium.org, Jul 12 2017

Owner: andypaicu@chromium.org
Status: Started (was: Available)
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3

commit 1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3
Author: Andy Paicu <andypaicu@chromium.org>
Date: Fri Jul 14 18:55:35 2017

Fixes and technical debt for hash-based policies

Fixed an issue where multiple policies with different algorithms would
deny scripts/styles
Fixed an issue where report-only policies could cause hash-based policies
to incorrectly deny scripts/styles
Fixed an issue where mixing hash based and not hash based policies would
deny scripts/styles because the checks were done independently
Got rid of the IsAllowedByAll template system and replaced it with for loops
Ensured that checks that check hashes are now incorporated in their
respective allows function
Removed the need for external callers to know to call the hash specific
functions checks since now they are integrated
Added LayoutTests relevant to the issues above

Bug:  617065 ,  739292 , 740688
Change-Id: I1b56afe899eac6358d2ef33fc7030aef568f89ac
Reviewed-on: https://chromium-review.googlesource.com/570248
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486822}
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html.sub.headers
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.sub.headers
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.sub.headers
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html
[add] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html.sub.headers
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/dom/Element.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/dom/MockScriptElementBase.h
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/dom/ScriptElementBase.h
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/dom/StyleElement.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/html/HTMLScriptElement.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/html/HTMLScriptElement.h
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/svg/SVGScriptElement.cpp
[modify] https://crrev.com/1fa4cc29f667430e1de7bcdd001ca9e373c8d4d3/third_party/WebKit/Source/core/svg/SVGScriptElement.h

Comment 5 by andypaicu@chromium.org, Aug 4 2017

Status: Fixed (was: Started)

Sign in to add a comment