New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 692442 link

Starred by 1 user
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Apr 2017
Cc:
mkwst@chromium.org
alex...@chromium.org
arthurso...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

CSP - source-expression allow upgrade from http to https-so but not from https to https-so

Project Member Reported by arthurso...@chromium.org, Feb 15 2017 
When a CSP source-expression is "http:"  then the set of allowed schemes is {"http", "https", "http-so", "https-so"}
When a CSP source-expression is "https:" then the set of allowed schemes is {        "https"                       }

It means that "https-so" is not allowed when the "https" scheme is whitelisted.

A test is documenting this behavior here:
https://codereview.chromium.org/2694233002/

We don't know if we ever see a suborigin serialization when we're hitting CSP.
Since the CSP will be checked also on the browser-side, we will need to check that this doesn't cause problems here neither.

Comment 1 by arthurso...@chromium.org, Feb 15 2017

Components: Blink>SecurityFeature
Status: Untriaged (was: Available)

Comment 2 Deleted

Comment 3 by mkwst@chromium.org, Feb 21 2017

Owner: andypaicu@chromium.org
Hi, Andy.

Comment 4 by mkwst@chromium.org, Feb 23 2017

Status: Assigned (was: Untriaged)

Comment 5 by andypaicu@chromium.org, Feb 24 2017

Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594

commit d25a9b7ba1e9858fe4d444267524f8ebe8ad8594
Author: andypaicu <andypaicu@chromium.org>
Date: Mon Mar 13 14:37:10 2017

Stop CSP from matching independent scheme/port upgrades

Content-Security-Policy allows an url to match a source-expression even
if the scheme or the port doesn't matches, but in this case it must be an
upgrade to a more secure scheme(http->https) and more secure port(80->443).
The problem is that it happens independently, so it is allowed to have an
upgrade of the port without the scheme (http over 443) or an upgrade of the
scheme without the port (https over 80).

This is a change to force the upgrade to be both over port and scheme.

BUG= 692499 , 692442 

Review-Url: https://codereview.chromium.org/2708873002
Cr-Commit-Position: refs/heads/master@{#456376}

[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-10.html
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSource.h
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/76108c2bf3ad1a4bac901ad99230f58faf87bc4b

commit 76108c2bf3ad1a4bac901ad99230f58faf87bc4b
Author: andypaicu <andypaicu@chromium.org>
Date: Tue Apr 11 08:03:58 2017

Stop CSP from matching independent scheme/port upgrades (content layer)

Made the changes necessary in content to mimic the behaviour of
https://codereview.chromium.org/2708873002
Copied from there:
"Content-Security-Policy allows an url to match a source-expression even
if the scheme or the port doesn't matches, but in this case it must be an
upgrade to a more secure scheme(http->https) and more secure port(80->443).
The problem is that it happens independently, so it is allowed to have an
upgrade of the port without the scheme (http over 443) or an upgrade of the
scheme without the port (https over 80).

This is a change to force the upgrade to be both over port and scheme."

BUG= 692499 , 692442 

Review-Url: https://codereview.chromium.org/2792013002
Cr-Commit-Position: refs/heads/master@{#463570}

[modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_context.cc
[modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_context.h
[modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source.cc
[modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source_list.cc
[modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source_unittest.cc

Comment 8 by andypaicu@chromium.org, Apr 11 2017

Status: Fixed (was: Started)

Sign in to add a comment