Content-Security-Policy - blob-url are blocked when blob-url are allowed and CSP are bypassed. |
||||||
Issue descriptionChrome Version: 56.0.2924.87 (Official Build) (64-bit) OS: All When the CSPs allows the 'blob' scheme or the 'filesystem' scheme, the request to a blob-url or a filesystem-url are allowed. This is the expected behavior. The problem is that when the origin's scheme bypasses the CSP, they become blocked even if they are white-listed. This bug is documented there with some tests: https://codereview.chromium.org/2691063003/ TEST = SourceListDirectiveTest.FilesystemDisallowedWhenBypassingSelfScheme SourceListDirectiveTest.BlobDisallowedWhenBypassingSelfScheme
,
Feb 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27477347836bad10c666f3918b6d77bc742f4785 commit 27477347836bad10c666f3918b6d77bc742f4785 Author: arthursonzogni <arthursonzogni@chromium.org> Date: Tue Feb 14 14:50:46 2017 Content-Security-Policy: Add test with 'filesystem' and 'blob'. A few tests that show how Content-Security-Policy works with blob-urls and filesystem-urls, especially when the inner url is used. BUG= 692046 Review-Url: https://codereview.chromium.org/2691063003 Cr-Commit-Position: refs/heads/master@{#450350} [modify] https://crrev.com/27477347836bad10c666f3918b6d77bc742f4785/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
,
Feb 14 2017
,
Feb 15 2017
,
Feb 21 2017
Hi, Andy.
,
Feb 24 2017
,
Mar 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3fa8e5f655b856cc26a907d2354502eaefb8232c commit 3fa8e5f655b856cc26a907d2354502eaefb8232c Author: andypaicu <andypaicu@chromium.org> Date: Mon Mar 13 11:32:22 2017 Moved all tests about bypassing CSP into ContentSecurityPolicyTest Removed logic related to bypassing CSP from SourceListDirective Ammended ContentSecurityPolicy to know about blob and filesystem bypasses BUG= 692046 Review-Url: https://codereview.chromium.org/2714203002 Cr-Commit-Position: refs/heads/master@{#456353} [modify] https://crrev.com/3fa8e5f655b856cc26a907d2354502eaefb8232c/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/3fa8e5f655b856cc26a907d2354502eaefb8232c/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h [modify] https://crrev.com/3fa8e5f655b856cc26a907d2354502eaefb8232c/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp [modify] https://crrev.com/3fa8e5f655b856cc26a907d2354502eaefb8232c/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp [modify] https://crrev.com/3fa8e5f655b856cc26a907d2354502eaefb8232c/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
,
Apr 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e commit e5cc01bf83814738ab18e0ef4c0404b5e2119b3e Author: andypaicu <andypaicu@chromium.org> Date: Wed Apr 05 13:59:14 2017 Moved all tests about bypassing CSP into ContentSecurityPolicyTest (mirror) This is a mirror implementation of https://codereview.chromium.org/2714203002 Summary from there: "Removed logic related to bypassing CSP from SourceListDirective Ammended ContentSecurityPolicy to know about blob and filesystem bypasses" BUG= 692046 Review-Url: https://codereview.chromium.org/2792973004 Cr-Commit-Position: refs/heads/master@{#462058} [modify] https://crrev.com/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e/content/common/content_security_policy/content_security_policy.cc [modify] https://crrev.com/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e/content/common/content_security_policy/content_security_policy_unittest.cc [modify] https://crrev.com/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e/content/common/content_security_policy/csp_context.h [modify] https://crrev.com/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e/content/common/content_security_policy/csp_source_list.cc [modify] https://crrev.com/e5cc01bf83814738ab18e0ef4c0404b5e2119b3e/content/common/content_security_policy/csp_source_list_unittest.cc
,
Apr 5 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by arthurso...@chromium.org
, Feb 14 2017