New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627762 link

Starred by 6 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Feb 2017
Cc:
mkwst@chromium.org
kkaluri@chromium.org
jmukthavaram@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

[CSP] HTML imports cannot be whitelisted with a script nonce

Project Member Reported by a...@google.com, Jul 13 2016 
Chrome Version       : 51.0.2704.106
URLs (if applicable) : http://lingro.com:81/cgi-bin/csp-import-nonce.py

What steps will reproduce the problem?
(1) Use a CSP policy with a script-src nonce
(2) Try to load an HTML import with a nonce (<link nonce=foo rel=import>)
 
What is the expected result?
The HTML import should be allow if the <link> element has a valid nonce.

What happens instead?
CSP violation: Refused to load the script '...' because it violates the following Content Security Policy directive: "script-src 'nonce-foo'"

Comment 1 by mkwst@chromium.org, Jul 13 2016

Components: Blink>SecurityFeature
Status: Started (was: Unconfirmed)
https://codereview.chromium.org/2147853003 up for review.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 13 2016

Labels: Hotlist-Google
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dd6fbccfc7457596f386d41b822d9e93a22b4cac

commit dd6fbccfc7457596f386d41b822d9e93a22b4cac
Author: mkwst <mkwst@chromium.org>
Date: Thu Jul 14 09:20:42 2016

Teach 'LinkRequestBuilder' about the 'nonce' attribute.

Rather than special-casing stylesheet loading, this patch teaches
'LinkRequestBuilder' to grab the nonce when creating requests associated
with '<link>' elements. This ensures that we deal correctly with
stylesheet and HTML imports.

The import tests added in 'http/tests/security/contentSecurityPolicy/nonces/'
verify the expected behavior: a CSP containing "script-src 'nonce-abc'" should
allow '<link rel="import" nonce="abc" href="...">'.

BUG= 627762 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2147853003
Cr-Commit-Position: refs/heads/master@{#405454}

[add] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/import-enforce-allowed.php
[add] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/import-enforce-blocked.php
[add] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/import-multiple-allowed.php
[add] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/import-multiple-blocked.php
[add] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/import-reportonly-allowed.php
[modify] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/dd6fbccfc7457596f386d41b822d9e93a22b4cac/third_party/WebKit/Source/core/html/LinkResource.cpp

Comment 4 by dglazkov@chromium.org, Oct 13 2016 

Issue 655682 has been merged into this issue.

Comment 5 by mkwst@chromium.org, Feb 23 2017

Status: Fixed (was: Started)

Comment 6 by mkwst@chromium.org, Feb 23 2017

Cc: kkaluri@chromium.org
Issue 654557 has been merged into this issue.

Comment 7 by sureshkumari@chromium.org, Mar 27 2017

Cc: jmukthavaram@chromium.org mkwst@chromium.org
 Issue 702612  has been merged into this issue.

Sign in to add a comment