New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 647588 link

Starred by 1 user
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Jun 2017
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: NA
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----



Sign in to add a comment

CSP: Embedded Enforcement

Project Member Reported by mkwst@chromium.org, Sep 16 2016 
CSP's Embedded enforcement  defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself. We should prototype an implementation to see if it's something that solves real problems in a way we can ship.

Changes to API surface:
* New `csp` attribute on HTMLIFrameElement
* Hew request/response headers

Links:
https://w3c.github.io/webappsec-csp/embedded/

Support in other browsers:
Internet Explorer: N/A
Firefox: N/A
Safari: N/A
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/28ea58f34c71c6af9044f16e342ce395f8b2c5c1

commit 28ea58f34c71c6af9044f16e342ce395f8b2c5c1
Author: amalika <amalika@google.com>
Date: Tue Sep 27 12:38:17 2016

Adding CSP attribute on HTMLIFrameElement

As defined in https://w3c.github.io/webappsec-csp/embedded/#dom-htmliframeelement-csp.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2370783002
Cr-Commit-Position: refs/heads/master@{#421182}

[add] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/iframe-csp-attribute.html
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/LayoutTests/webexposed/element-instance-property-listing-expected.txt
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/Source/core/html/HTMLAttributeNames.in
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/Source/core/html/HTMLIFrameElement.h
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/Source/core/html/HTMLIFrameElement.idl
[modify] https://crrev.com/28ea58f34c71c6af9044f16e342ce395f8b2c5c1/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
Project Member

Comment 2 by bugdroid1@chromium.org, Oct 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4100ce09bf324e0fb2612ae83c7892f0870c3fe

commit e4100ce09bf324e0fb2612ae83c7892f0870c3fe
Author: amalika <amalika@google.com>
Date: Thu Oct 06 07:27:58 2016

Adding csp to frameOwnerPropertiesChanged

If the iframe is remote and the csp attribute gets updated,
we need to have access to the newest value when sending
Embedding-CSP header and setting browsing context's requiredCSP value.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2378643002
Cr-Commit-Position: refs/heads/master@{#423468}

[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_messages.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_owner_properties.cc
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_owner_properties.h
[add] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/test/data/frame_owner_properties_csp.html
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/frame/FrameOwner.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/html/HTMLIFrameElement.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/RemoteFrameOwner.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/RemoteFrameOwner.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/WebFrame.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/public/web/WebFrameOwnerProperties.h
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ecf8bb9b85922dbed58632e269d579deb06ef58b

commit ecf8bb9b85922dbed58632e269d579deb06ef58b
Author: amalika <amalika@google.com>
Date: Mon Oct 10 09:54:04 2016

Adding and sending Embedding-CSP HTTP header

Also, setting requiredCSP on FrameLoader to ensure
that we record the CSP value we used when sending the FrameLoadRequest

BUG= 647588 

Review-Url: https://codereview.chromium.org/2372563002
Cr-Commit-Position: refs/heads/master@{#424124}

[add] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html
[add] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php
[add] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header.php
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/fetch/FetchContext.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/fetch/FetchContext.h
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/loader/FrameFetchContext.h
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/core/loader/FrameLoader.h
[modify] https://crrev.com/ecf8bb9b85922dbed58632e269d579deb06ef58b/third_party/WebKit/Source/platform/network/HTTPNames.in
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 18 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69cc847f5802c6d871836695d5f984db682af776

commit 69cc847f5802c6d871836695d5f984db682af776
Author: amalika <amalika@google.com>
Date: Tue Oct 18 14:35:00 2016

This is part of an experimental feature in Content Security Policy.

This patch introduces a new header Allow-CSP-From that allows the embedded iframe
to use a whitelist to enforce upon itself embedder's CSP.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2404373003
Cr-Commit-Position: refs/heads/master@{#425955}

[add] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/allow_csp_from-header.html
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/embedding_csp-header.html
[add] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js
[add] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-header.php
[add] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-allow-csp-from-multiple-headers.php
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/69cc847f5802c6d871836695d5f984db682af776/third_party/WebKit/Source/platform/network/HTTPNames.in
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b7fe99a65e3478fed6f8a4a6f06213b18147c93

commit 8b7fe99a65e3478fed6f8a4a6f06213b18147c93
Author: amalika <amalika@google.com>
Date: Thu Oct 27 11:29:46 2016

Change to String-based CSPSource matching functions.

Currently, CSPSource's matching functions match the relevant
component against a KURL. We need to match against Strings
in order to implement some new features, so this patch
converts the comparisons in preparation for that work.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2456493002
Cr-Commit-Position: refs/heads/master@{#427997}

[modify] https://crrev.com/8b7fe99a65e3478fed6f8a4a6f06213b18147c93/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/8b7fe99a65e3478fed6f8a4a6f06213b18147c93/third_party/WebKit/Source/core/frame/csp/CSPSource.h
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4100ce09bf324e0fb2612ae83c7892f0870c3fe

commit e4100ce09bf324e0fb2612ae83c7892f0870c3fe
Author: amalika <amalika@google.com>
Date: Thu Oct 06 07:27:58 2016

Adding csp to frameOwnerPropertiesChanged

If the iframe is remote and the csp attribute gets updated,
we need to have access to the newest value when sending
Embedding-CSP header and setting browsing context's requiredCSP value.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2378643002
Cr-Commit-Position: refs/heads/master@{#423468}

[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_messages.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_owner_properties.cc
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/common/frame_owner_properties.h
[add] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/content/test/data/frame_owner_properties_csp.html
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/frame/FrameOwner.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/core/html/HTMLIFrameElement.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/RemoteFrameOwner.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/RemoteFrameOwner.h
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/WebFrame.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp
[modify] https://crrev.com/e4100ce09bf324e0fb2612ae83c7892f0870c3fe/third_party/WebKit/public/web/WebFrameOwnerProperties.h
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 28 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb

commit 20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb
Author: amalika <amalika@google.com>
Date: Fri Oct 28 09:10:46 2016

Removing CSPSourceList level up to SourceListDirective.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2449873004
Cr-Commit-Position: refs/heads/master@{#428322}

[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/BUILD.gn
[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/BUILD.gn
[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/csp/CSPDirective.h
[delete] https://crrev.com/ead7f5c6c6b7c670588cf123e545c377e1252dc8/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
[delete] https://crrev.com/ead7f5c6c6b7c670588cf123e545c377e1252dc8/third_party/WebKit/Source/core/frame/csp/CSPSourceList.h
[delete] https://crrev.com/ead7f5c6c6b7c670588cf123e545c377e1252dc8/third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp
[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[add] https://crrev.com/20ffd3bc663646ac5e37bb2f61f93cc0c223f8eb/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ab18fdcd7bad1f68ec6bc0d2ebdb67fd5f200df0

commit ab18fdcd7bad1f68ec6bc0d2ebdb67fd5f200df0
Author: amalika <amalika@google.com>
Date: Fri Nov 04 13:20:37 2016

Part 1.1: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

In particular this is the initial effort in implementing
*3.3. Is policy list subsumed under subsuming policy?

Given two CSPSources, we try to determine whether one is
subsumed under another. If not, return false.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2442513004
Cr-Commit-Position: refs/heads/master@{#429872}

[modify] https://crrev.com/ab18fdcd7bad1f68ec6bc0d2ebdb67fd5f200df0/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/ab18fdcd7bad1f68ec6bc0d2ebdb67fd5f200df0/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/ab18fdcd7bad1f68ec6bc0d2ebdb67fd5f200df0/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Comment 9 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840
Project Member

Comment 10 by bugdroid1@chromium.org, Nov 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/14162d1652623759b9d3528bda3b22b4952d47b4

commit 14162d1652623759b9d3528bda3b22b4952d47b4
Author: amalika <amalika@google.com>
Date: Mon Nov 07 14:14:16 2016

Part 2.1: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

In particular this is the second CL devoted to implementing
*3.3. Is policy list subsumed under subsuming policy?

In this patch we try to find normalized list of CSPSources
from the two given vectors of CSPSources.

Example:
A: http://*.example.com
B: http://example.com/index.html
In this case, the latter contains more information because
it provides a more specific path and no host wildcard. Thus,
their normalization would be equivalent to B.

Example:
A: http://
B: http://example.com/index.html
Scheme-source/ host-source expression normalization should
be equivalent to B.

Example:
A: https://
B: http://example.com/index.html
Scheme-source/ host-source expression normalization should
return https://example.com/index.html.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2470083002
Cr-Commit-Position: refs/heads/master@{#430267}

[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/14162d1652623759b9d3528bda3b22b4952d47b4/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 11 by bugdroid1@chromium.org, Nov 11 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7650479aed19de17e02478abd1845ffea51e7dbf

commit 7650479aed19de17e02478abd1845ffea51e7dbf
Author: amalika <amalika@google.com>
Date: Fri Nov 11 12:42:30 2016

Part 2.2: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

In particular this is the second CL devoted to implementing
*3.3. Is policy list subsumed under subsuming policy?

Here we try to find whether a source list directive is subsuming
to a vector of source list directives.

Note: right now we only consider non-special keyword cases, i.e.
CSPSources.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2452903004
Cr-Commit-Position: refs/heads/master@{#431549}

[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/7650479aed19de17e02478abd1845ffea51e7dbf/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 13 by bugdroid1@chromium.org, Nov 25 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18

commit cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18
Author: amalika <amalika@google.com>
Date: Fri Nov 25 11:07:56 2016

Part 2.3: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

This patch considers schemes when finding an `effective`
vector of CSPSources.

Previously, we handled scheme to host and
host to host source expressions.

This CL considers specifically scheme to scheme source
expressions.

Example 1:
A: http:
B: http://example.com

Then the resulting intersaction should be B.

Example 2:
A: https: http://example.com
B: http://example.com http:

Then the result should be `http://example.com https:`,
i.e. the former should not be upgraded to "https"

Moreover, we should also NOT stop when we find a match.

Example 3:
A: https://example.com http://example.com/foo
B: http://example.com/foo https://example.com

If we stop based on first match, we would get:
`https://example.com/foo http://example.com/foo`
However, the correct result should be:
`https://example.com http://example.com/foo`
since the order of CSPSources should not matter.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2487983003
Cr-Commit-Position: refs/heads/master@{#434477}

[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/cb5cc2c4d0e9f56a7b408d33d264b7ca0c864a18/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 14 by bugdroid1@chromium.org, Nov 25 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d15fefad6620176d0d0e60588abd29a19acc9d02

commit d15fefad6620176d0d0e60588abd29a19acc9d02
Author: magjed <magjed@chromium.org>
Date: Fri Nov 25 12:04:29 2016

Revert of Embedding-CSP: Refactoring directive strings into enum (patchset #6 id:140001 of https://codereview.chromium.org/2516383002/ )

Reason for revert:
Causing WebKit Win x64 Builder to fail on webkit_unit_tests on Windows-7-SP1 ContentSecurityPolicyTest.DirectiveType:
ContentSecurityPolicyTest.DirectiveType (run #1):
[ RUN      ] ContentSecurityPolicyTest.DirectiveType
c:\c\win_layout\src	hird_party\webkit\source\core
rame\csp\contentsecuritypolicytest.cpp(950): error: Death test: ContentSecurityPolicy::getDirectiveName( ContentSecurityPolicy::DirectiveType::Undefined)
    Result: failed to die.
 Error msg:
[  DEATH   ] [3244:5672:1125/030930:3521831:WARNING:test_suite.cc(236)] Test launcher output path C:\Users\CHROME~2\AppData\Local\Temp!6_27934	est_results.xml exists. Not adding test launcher result printer.
[  DEATH   ]
[  FAILED  ] ContentSecurityPolicyTest.DirectiveType (67 ms)

https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Win%20x64%20Builder/builds/101390

Original issue's description:
> Embedding-CSP: Refactoring directive strings into enum.
>
> This is an effort as part of the experimental feature. Causing
> patch: https://codereview.chromium.org/2474903002
>
> BUG= 647588 
>
> Committed: https://crrev.com/a5e9944b7169dd3a3c9f2cb352aff3551b32cd12
> Cr-Commit-Position: refs/heads/master@{#434474}

TBR=mkwst@chromium.org,jochen@chromium.org,amalika@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 647588 

Review-Url: https://codereview.chromium.org/2528133002
Cr-Commit-Position: refs/heads/master@{#434483}

[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/d15fefad6620176d0d0e60588abd29a19acc9d02/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
Project Member

Comment 16 by bugdroid1@chromium.org, Nov 28 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0dc68f9f6acad85dd6ffcd2de5332574f886d061

commit 0dc68f9f6acad85dd6ffcd2de5332574f886d061
Author: amalika <amalika@google.com>
Date: Mon Nov 28 16:47:06 2016

Part 3.1: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

This patch introduces CSPDirectiveList subsumption.
We aggregate SourceListDirectives based on their directive
names (or default directives otherwise) to check if it subsumes
under the embedding csp.

Note: There is only one SourceListDirective for each directive
name type specified by Embedding CSP since it specifies only one
policy.
+ We only consider scheme source /host source expressions to this
point.

Separate patches will be devoted to consideration of
'unsafe-inline' etc.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2474903002
Cr-Commit-Position: refs/heads/master@{#434667}

[modify] https://crrev.com/0dc68f9f6acad85dd6ffcd2de5332574f886d061/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/0dc68f9f6acad85dd6ffcd2de5332574f886d061/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/0dc68f9f6acad85dd6ffcd2de5332574f886d061/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/0dc68f9f6acad85dd6ffcd2de5332574f886d061/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/0dc68f9f6acad85dd6ffcd2de5332574f886d061/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
Project Member

Comment 17 by bugdroid1@chromium.org, Dec 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/685a394fd8ebd2dc4b14ef7277ce80f9776a770f

commit 685a394fd8ebd2dc4b14ef7277ce80f9776a770f
Author: amalika <amalika@google.com>
Date: Fri Dec 02 08:20:31 2016

Part 3.2: Is policy list subsumed under subsuming policy?
This is part of an experimental feature Embedding-CSP.

Here we add support for `self` source, which gets compiled
to CSPSources for normalization (finding intersection) and
subsumption.

For example, if the secure origin is "https://example.test/"
then for a list of policies:
`
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/
`

an intersection would be:
`Content-Security-Policy: script-src https://example.test/`

BUG= 647588 

Review-Url: https://codereview.chromium.org/2519103005
Cr-Commit-Position: refs/heads/master@{#435883}

[modify] https://crrev.com/685a394fd8ebd2dc4b14ef7277ce80f9776a770f/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/685a394fd8ebd2dc4b14ef7277ce80f9776a770f/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/685a394fd8ebd2dc4b14ef7277ce80f9776a770f/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/685a394fd8ebd2dc4b14ef7277ce80f9776a770f/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 18 by bugdroid1@chromium.org, Dec 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/761fe2ef2f851eb9980dd1064fef65d42ef7628b

commit 761fe2ef2f851eb9980dd1064fef65d42ef7628b
Author: amalika <amalika@google.com>
Date: Fri Dec 02 13:21:26 2016

Part 4.1:  Is policy list subsumed under subsuming policy?

This CL is part of an experimental feature Embedding-CSP. In particular,
we add support for CSP level and layout tests. Main points:
- Filter returned CSP by `enforce` type
- Add check for subsumption in DocumentLoader
- Set `self` for Embedding-CSP.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2526473005
Cr-Commit-Position: refs/heads/master@{#435927}

[add] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html
[add] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-protocols-paths.html
[add] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-self.html
[add] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-wildcards-in-hosts-ports.html
[modify] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-csp-test.js
[add] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/respond-with-multiple-csp-headers.php
[modify] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/761fe2ef2f851eb9980dd1064fef65d42ef7628b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
Project Member

Comment 20 by bugdroid1@chromium.org, Dec 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/522a12cdff7503f3ea42773e09976d84d230a9d9

commit 522a12cdff7503f3ea42773e09976d84d230a9d9
Author: amalika <amalika@google.com>
Date: Fri Dec 02 16:55:03 2016

Part 3.4: Is policy list subsumed under subsuming policy?

In this patch we consider special keywords such as `unsafe-eval`,
`unsafe-hashed-attributes`, `strict-dynamic`.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2538623003
Cr-Commit-Position: refs/heads/master@{#435957}

[modify] https://crrev.com/522a12cdff7503f3ea42773e09976d84d230a9d9/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/522a12cdff7503f3ea42773e09976d84d230a9d9/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 21 by bugdroid1@chromium.org, Dec 5 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/82f74b025438d88016d67f1d27b7ffca1d149dac

commit 82f74b025438d88016d67f1d27b7ffca1d149dac
Author: amalika <amalika@google.com>
Date: Mon Dec 05 12:52:07 2016

Part 3.5: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG= 647588 

Review-Url: https://codereview.chromium.org/2528423002
Cr-Commit-Position: refs/heads/master@{#436270}

[modify] https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 22 by bugdroid1@chromium.org, Dec 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9757fb4e3353e8844264b04ed7145bf457288ad7

commit 9757fb4e3353e8844264b04ed7145bf457288ad7
Author: amalika <amalika@google.com>
Date: Tue Dec 06 10:13:13 2016

Embedding-CSP: Adding `const` to method signatures.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2551843002
Cr-Commit-Position: refs/heads/master@{#436558}

[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/9757fb4e3353e8844264b04ed7145bf457288ad7/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
Project Member

Comment 23 by bugdroid1@chromium.org, Dec 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9881be66406b729bfa518c4aaf54430ed5bc0683

commit 9881be66406b729bfa518c4aaf54430ed5bc0683
Author: amalika <amalika@google.com>
Date: Wed Dec 07 11:44:28 2016

Embedding-CSP: Ports subsumption

When we check for subsumption, we need to make sure that even if ports
are different but are defaults for the specified protocols, we return
correct result. Consider:

A = http://example.com:80
B = https://example.com:443

Then A subsumes B.
Moreover, A is similar to B and their intersection should be
`https://example.com:443`.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2556713002
Cr-Commit-Position: refs/heads/master@{#436916}

[modify] https://crrev.com/9881be66406b729bfa518c4aaf54430ed5bc0683/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html
[modify] https://crrev.com/9881be66406b729bfa518c4aaf54430ed5bc0683/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/9881be66406b729bfa518c4aaf54430ed5bc0683/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/9881be66406b729bfa518c4aaf54430ed5bc0683/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
Project Member

Comment 24 by bugdroid1@chromium.org, Dec 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7abaa81c2d0044a70d45fbadf0f00729a5647f5a

commit 7abaa81c2d0044a70d45fbadf0f00729a5647f5a
Author: amalika <amalika@google.com>
Date: Wed Dec 07 21:29:24 2016

Part 5.1:  Is policy list subsumed under subsuming policy?

In this CL we start considering subsumtpion on  MediaListDirective level.
The logic is straightforward: we required exact match for the specified
plugin types.
Two steps:
- Normalize: find effective list of allowed plugin types
- Check for subsumption.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2541843002
Cr-Commit-Position: refs/heads/master@{#437066}

[modify] https://crrev.com/7abaa81c2d0044a70d45fbadf0f00729a5647f5a/third_party/WebKit/Source/core/BUILD.gn
[modify] https://crrev.com/7abaa81c2d0044a70d45fbadf0f00729a5647f5a/third_party/WebKit/Source/core/frame/csp/MediaListDirective.cpp
[modify] https://crrev.com/7abaa81c2d0044a70d45fbadf0f00729a5647f5a/third_party/WebKit/Source/core/frame/csp/MediaListDirective.h
[add] https://crrev.com/7abaa81c2d0044a70d45fbadf0f00729a5647f5a/third_party/WebKit/Source/core/frame/csp/MediaListDirectiveTest.cpp
Project Member

Comment 25 by bugdroid1@chromium.org, Dec 8 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bcb1aa7c25d64df51841df3dbb47eb5d3c68b58a

commit bcb1aa7c25d64df51841df3dbb47eb5d3c68b58a
Author: amalika <amalika@google.com>
Date: Thu Dec 08 10:08:50 2016

Part 3.6: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

In this CL we check subsumption for nonces and hashes.

BUG= 647588 

Review-Url: https://codereview.chromium.org/2545063002
Cr-Commit-Position: refs/heads/master@{#437224}

[modify] https://crrev.com/bcb1aa7c25d64df51841df3dbb47eb5d3c68b58a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/bcb1aa7c25d64df51841df3dbb47eb5d3c68b58a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/bcb1aa7c25d64df51841df3dbb47eb5d3c68b58a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
Project Member

Comment 28 by bugdroid1@chromium.org, May 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26

commit 3f8d3c41da42aa0206f70f86dd00ea1e4d575f26
Author: andypaicu <andypaicu@chromium.org>
Date: Mon May 22 10:58:11 2017

Renamed all instances of embedding-csp to required-csp

Also removed 2 support files that were unused

Spec: https://w3c.github.io/webappsec-csp/embedded/#required-csp-header

BUG= 647588 

Review-Url: https://codereview.chromium.org/2892903002
Cr-Commit-Position: refs/heads/master@{#473547}

[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/TestExpectations
[rename] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header-invalid-format.html
[rename] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
[rename] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/support/echo-required-csp.py
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
[delete] https://crrev.com/3638f51b033ad950d63f9186f7d0329a4eed48c9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php
[delete] https://crrev.com/3638f51b033ad950d63f9186f7d0329a4eed48c9/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header.php
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/3f8d3c41da42aa0206f70f86dd00ea1e4d575f26/third_party/WebKit/Source/platform/network/HTTPNames.json5
Project Member

Comment 29 by sheriffbot@chromium.org, May 22 2017

Labels: Hotlist-Recharge-BouncingOwner
Owner: ----
Status: Untriaged (was: Assigned)
The assigned owner "amalika@google.com" is not able to receive e-mails, please re-triage.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by mkwst@chromium.org, May 23 2017

Labels: -M-58 M-61
Owner: andypaicu@chromium.org
Status: Started (was: Untriaged)

Comment 31 by mkwst@chromium.org, May 23 2017

Labels: -OWP-Standards-UnofficialSpec OWP-Standards-OfficialSpec
Project Member

Comment 32 by bugdroid1@chromium.org, May 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4124bfba87179d73b33c54d6add5b2ac82a090b4

commit 4124bfba87179d73b33c54d6add5b2ac82a090b4
Author: andypaicu <andypaicu@chromium.org>
Date: Tue May 30 10:42:25 2017

Added validation of the policy specified in the 'csp' attribute

Spec: https://w3c.github.io/webappsec-csp/embedded/#csp-attribute

The 'csp' attribute is supposed to be validated as a serialized-policy
and set to null if not a valid one

Re-used the existing wpt test that documents this functionality

Fixed the expected and actual order in said test as it was reversed

BUG= 647588 

Review-Url: https://codereview.chromium.org/2896833002
Cr-Commit-Position: refs/heads/master@{#475487}

[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/LayoutTests/TestExpectations
[delete] https://crrev.com/2f78b5b66d3637fa3d2b2b13ff2d39d98985d27f/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header-invalid-format.html
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/support/testharness-helper.sub.js
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
[modify] https://crrev.com/4124bfba87179d73b33c54d6add5b2ac82a090b4/third_party/WebKit/Source/core/loader/FrameLoader.cpp
Project Member

Comment 35 by bugdroid1@chromium.org, Jun 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/313b70a5db22451a4ff7d5ac8bbe548eca46495d

commit 313b70a5db22451a4ff7d5ac8bbe548eca46495d
Author: Andy Paicu <andypaicu@chromium.org>
Date: Wed Jun 07 10:32:21 2017

Shipping embedded enforcement

Spec: https://w3c.github.io/webappsec-csp/embedded/
I2I: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/bck8mCc-HOQ
I2S: https://groups.google.com/a/chromium.org/d/msg/blink-dev/DdzeM55D87Y/kwMlfu-DBgAJ

Bug:  647588 
Change-Id: I33406dc0e61059cf2b0a4a26c50572a9ff189735
Reviewed-on: https://chromium-review.googlesource.com/525693
Reviewed-by: Philip Jägenstedt <foolip@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#477604}
[modify] https://crrev.com/313b70a5db22451a4ff7d5ac8bbe548eca46495d/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/313b70a5db22451a4ff7d5ac8bbe548eca46495d/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/313b70a5db22451a4ff7d5ac8bbe548eca46495d/third_party/WebKit/LayoutTests/virtual/stable/webexposed/element-instance-property-listing-expected.txt
[modify] https://crrev.com/313b70a5db22451a4ff7d5ac8bbe548eca46495d/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5

Comment 36 by andypaicu@chromium.org, Jun 7 2017

Labels: Launch-Legal-NA
Status: Fixed (was: Started)

Sign in to add a comment