New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 662930 link

Starred by 7 users
Status: Started
Owner:
mkwst@chromium.org
Buried. Ping if important.
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task
Launch-M-Target: 57-Dev , 57-Beta , 57-Stable

Blocked on: View detail
issue 663298
issue 666664
issue 669496


Sign in to add a comment

CSP3: Implement worker changes

Project Member Reported by mkwst@chromium.org, Nov 7 2016 
https://w3c.github.io/webappsec-csp/#directive-worker-src

The `worker-src` CSP directive governs dedicated, shared, and service workers. It falls back to `child-src` (which we're already shipping), and `default-src` (likewise). We should implement it.

Comment 1 by mkwst@chromium.org, Nov 8 2016

Blockedon: 663298
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/586705638164b07863229f70fba19fa2571b48af

commit 586705638164b07863229f70fba19fa2571b48af
Author: mkwst <mkwst@chromium.org>
Date: Thu Nov 10 10:06:22 2016

CSP3: Implement 'worker-src'.

As a drive-by, this also renames `allowChildFrameFromSource` to
`allowFrameFromSource`, and `allowChildContextFromSource` to
`allowWorkerFromSource` to reflect their usage.

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/1UkZE-vOROc/gEj7psewAAAJ

BUG=662930

Review-Url: https://codereview.chromium.org/2480303002
Cr-Commit-Position: refs/heads/master@{#431228}

[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ping.js
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/testharness-helper.js
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/service-worker-blocked-expected.txt
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-child.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-fallback.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-list.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-none.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-self.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-child.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-fallback.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-list.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-none.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-self.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-child.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-fallback.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-list.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-none.html
[add] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-self.html
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/586705638164b07863229f70fba19fa2571b48af/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Comment 3 by mkwst@chromium.org, Nov 11 2016

Status: Fixed (was: Assigned)

Comment 4 by mkwst@chromium.org, Nov 18 2016

Blockedon: 666664
Labels: -M-56 M-57 Launch-M-Target-57-Dev Launch-M-Target-57-Beta Launch-M-Target-57-Stable
Status: Started (was: Fixed)

Comment 5 by rbyers@chromium.org, Nov 18 2016

Components: Blink>SecurityFeature

Comment 6 by mkwst@chromium.org, Nov 29 2016 

Based on discussion in https://github.com/w3c/webappsec-csp/issues/146, repurposing this to implement `worker-src` on top of `script-src` and change inheritance for dedicated workers.

Comment 7 by mkwst@chromium.org, Nov 29 2016

Summary: CSP3: Implement worker changes (was: CSP3: 'worker-src')

Comment 8 by mkwst@chromium.org, Nov 29 2016

Blockedon: 669496

Comment 9 by jmedley@chromium.org, Mar 16 2017

Labels: -M-57
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8cc69507968d87cea7eeefc39c0dae78f960879

commit d8cc69507968d87cea7eeefc39c0dae78f960879
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 20 08:55:35 2017

CSP: Move 'worker-src' onto 'script-src'

Based on the discussion in https://github.com/w3c/webappsec-csp/issues/146,
we're deprecating 'child-src' and moving 'worker-src' onto 'script-src'.

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/npKDoKVOUAs/ogtlIFmLBAAJ

BUG=662930,694525

Review-Url: https://codereview.chromium.org/2533313002
Cr-Commit-Position: refs/heads/master@{#458026}

[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/chrome/test/data/extensions/api_test/webrequest/test_types.js
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/service-child.https.sub.html
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/service-fallback.https.sub.html
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/service-list.https.sub.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/service-worker-allowed.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/service-worker-blocked-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/service-worker-blocked.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-child.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-fallback.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-list.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-none.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/dedicated-self.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-child.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-fallback.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-list.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-none.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/service-self.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-child.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-fallback.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-list.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-none.html
[delete] https://crrev.com/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-src/shared-self.html
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/d8cc69507968d87cea7eeefc39c0dae78f960879/tools/metrics/histograms/histograms.xml
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d81303c8e08b491495d5fc425aaeb191f7be3418

commit d81303c8e08b491495d5fc425aaeb191f7be3418
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 20 11:26:51 2017

CSP: Dedicated workers always inherit policy.

Based on the discussion in https://github.com/w3c/webappsec-csp/issues/146,
we're dropping the distinct policy for dedicated workers; they will now always
inherit the policy of their responsible document (just like every other script
executing in that page's context).

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/npKDoKVOUAs/ogtlIFmLBAAJ

BUG=662930

Review-Url: https://codereview.chromium.org/2540983003
Cr-Commit-Position: refs/heads/master@{#458039}

[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/testharness-helper.js
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-allowed-expected.txt
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html
[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers.html
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-redirect-blocked-by-connect-src.html
[delete] https://crrev.com/01b5c7b1560e884426a2ef014c61acc74cd17a80/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp.html
[add] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/workers/dedicated-eval.html
[add] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/workers/dedicated-inheritance.html
[add] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/workers/resources/connect-src-self.js
[add] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/workers/resources/script-src-self.js
[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp
[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/Source/core/workers/InProcessWorkerMessagingProxy.cpp
[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/Source/core/workers/InProcessWorkerMessagingProxy.h
[modify] https://crrev.com/d81303c8e08b491495d5fc425aaeb191f7be3418/third_party/WebKit/Source/core/workers/WorkerScriptLoader.h

Comment 12 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Comment 13 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 14 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment