CSP: source-expression allows upgrade of the scheme and the port independently. |
|||||
Issue descriptionContent-Security-Policy allows an url to match a source-expression even if the scheme or the port doesn't matches, but in this case it must be an upgrade to a more secure scheme(http->https) and more secure port(80->443). The problem is that it happens independently, so it is allowed to have an upgrade of the port without the scheme (http over 443) or an upgrade of the scheme without the port (https over 80). A test describes this behavior here: https://codereview.chromium.org/2689363003/
,
Feb 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ba1205f748c335e037ad516e29cee9d23dffd21f commit ba1205f748c335e037ad516e29cee9d23dffd21f Author: arthursonzogni <arthursonzogni@chromium.org> Date: Wed Feb 15 13:25:56 2017 CSP: Add test: Allow port upgrade without scheme upgrade and vice versa. This is a backport of a test in: https://codereview.chromium.org/2612793002/ What is interesting in this test is that CSP allow port and scheme to be upgraded in their secure version independently. The result is that one of them can be upgraded without the other (http on port 443 or https on port 80). BUG= 692499 Review-Url: https://codereview.chromium.org/2689363003 Cr-Commit-Position: refs/heads/master@{#450685} [modify] https://crrev.com/ba1205f748c335e037ad516e29cee9d23dffd21f/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
,
Feb 15 2017
Upgrade
,
Feb 21 2017
,
Mar 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594 commit d25a9b7ba1e9858fe4d444267524f8ebe8ad8594 Author: andypaicu <andypaicu@chromium.org> Date: Mon Mar 13 14:37:10 2017 Stop CSP from matching independent scheme/port upgrades Content-Security-Policy allows an url to match a source-expression even if the scheme or the port doesn't matches, but in this case it must be an upgrade to a more secure scheme(http->https) and more secure port(80->443). The problem is that it happens independently, so it is allowed to have an upgrade of the port without the scheme (http over 443) or an upgrade of the scheme without the port (https over 80). This is a change to force the upgrade to be both over port and scheme. BUG= 692499 , 692442 Review-Url: https://codereview.chromium.org/2708873002 Cr-Commit-Position: refs/heads/master@{#456376} [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-10.html [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSource.h [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h [modify] https://crrev.com/d25a9b7ba1e9858fe4d444267524f8ebe8ad8594/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
,
Mar 31 2017
,
Mar 31 2017
,
Apr 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/76108c2bf3ad1a4bac901ad99230f58faf87bc4b commit 76108c2bf3ad1a4bac901ad99230f58faf87bc4b Author: andypaicu <andypaicu@chromium.org> Date: Tue Apr 11 08:03:58 2017 Stop CSP from matching independent scheme/port upgrades (content layer) Made the changes necessary in content to mimic the behaviour of https://codereview.chromium.org/2708873002 Copied from there: "Content-Security-Policy allows an url to match a source-expression even if the scheme or the port doesn't matches, but in this case it must be an upgrade to a more secure scheme(http->https) and more secure port(80->443). The problem is that it happens independently, so it is allowed to have an upgrade of the port without the scheme (http over 443) or an upgrade of the scheme without the port (https over 80). This is a change to force the upgrade to be both over port and scheme." BUG= 692499 , 692442 Review-Url: https://codereview.chromium.org/2792013002 Cr-Commit-Position: refs/heads/master@{#463570} [modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_context.cc [modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_context.h [modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source.cc [modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source_list.cc [modify] https://crrev.com/76108c2bf3ad1a4bac901ad99230f58faf87bc4b/content/common/content_security_policy/csp_source_unittest.cc
,
Apr 11 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mkwst@chromium.org
, Feb 15 2017Owner: andypaicu@chromium.org
Status: Assigned (was: Untriaged)