New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 692046 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Content-Security-Policy - blob-url are blocked when blob-url are allowed and CSP are bypassed.

Project Member Reported by arthurso...@chromium.org, Feb 14 2017

Issue description

Chrome Version: 56.0.2924.87 (Official Build) (64-bit)
OS: All

When the CSPs allows the 'blob' scheme or the 'filesystem' scheme, the request to a blob-url or a filesystem-url are allowed. This is the expected behavior.

The problem is that when the origin's scheme bypasses the CSP, they become blocked even if they are white-listed.

This bug is documented there with some tests:
https://codereview.chromium.org/2691063003/

TEST = SourceListDirectiveTest.FilesystemDisallowedWhenBypassingSelfScheme
       SourceListDirectiveTest.BlobDisallowedWhenBypassingSelfScheme
 
Description: Show this description
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 14 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27477347836bad10c666f3918b6d77bc742f4785

commit 27477347836bad10c666f3918b6d77bc742f4785
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Tue Feb 14 14:50:46 2017

Content-Security-Policy: Add test with 'filesystem' and 'blob'.

A few tests that show how Content-Security-Policy works with blob-urls
and filesystem-urls, especially when the inner url is used.

BUG= 692046 

Review-Url: https://codereview.chromium.org/2691063003
Cr-Commit-Position: refs/heads/master@{#450350}

[modify] https://crrev.com/27477347836bad10c666f3918b6d77bc742f4785/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Cc: nick@chromium.org
Status: Untriaged (was: Available)

Comment 5 by mkwst@chromium.org, Feb 21 2017

Owner: andypaicu@chromium.org
Status: Assigned (was: Untriaged)
Hi, Andy.
Status: Started (was: Assigned)
Status: Fixed (was: Started)

Sign in to add a comment