New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676260 link

Starred by 1 user
Status: Fixed
Owner:
arthurso...@chromium.org
Closed: Jan 2017
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Content-Security-Policy - Host is not parsed correctly inside source-expressions.

Project Member Reported by arthurso...@chromium.org, Dec 21 2016 
Chrome Version: All
Tested on 55.0.2883.87 (Official Build) (64-bit)

What steps will reproduce the problem?
Navigate to a new html page with one of these lines in the <header> section:
<meta http-equiv="Content-Security-Policy" content="default-src *.">
<meta http-equiv="Content-Security-Policy" content="default-src a.b.">

What is the expected result?
The policies must be ignored and a console error message must be displayed.

What happens instead?
The polices are validated by the parser with an invalid host : "a.b."
Project Member

Comment 1 by bugdroid1@chromium.org, Dec 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4bd219e45f7ba50880725bc55e94aa13359c3cd9

commit 4bd219e45f7ba50880725bc55e94aa13359c3cd9
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Thu Dec 22 10:44:32 2016

CSP: fix bugs in parseHost (+ add unit test)

The problem was that host like : "*."  or "sub.host." were
validated by SourceListDirective::parseHost, while they aren't valid.

BUG= 676260 

Review-Url: https://codereview.chromium.org/2589273003
Cr-Commit-Position: refs/heads/master@{#440378}

[modify] https://crrev.com/4bd219e45f7ba50880725bc55e94aa13359c3cd9/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/4bd219e45f7ba50880725bc55e94aa13359c3cd9/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/4bd219e45f7ba50880725bc55e94aa13359c3cd9/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Comment 2 by arthurso...@chromium.org, Jan 10 2017

Status: Fixed (was: Started)

Sign in to add a comment