New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 692505 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
mkwst@chromium.org
alex...@chromium.org
arthurso...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

CSP: source-expression like "foo.bar" doesn't match "http://.foo.bar"

Project Member Reported by arthurso...@chromium.org, Feb 15 2017 
There is possibly a problem when an url with an empty sub-host is checked against CSP.

It's maybe not a big deal, as we apparently transparently rewrite `.example.com` to `example.com` for navigations.

With url = "http://.example.com", the current behavior is:
* If source-expression = "*.example.com" => allow
* If source-expression = "example.com"   => block.

Maybe the current behavior is the correct one. We need to think about it.

There is a test that documents this behavior:
https://codereview.chromium.org/2697853002/
Project Member

Comment 1 by bugdroid1@chromium.org, Feb 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a87a279a7fd622ca4130806c22e6cf2c9b3bc32e

commit a87a279a7fd622ca4130806c22e6cf2c9b3bc32e
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Wed Feb 15 15:21:54 2017

Content-Security-Policy: Backporting test of hostmatches in CSPSource.

Add tests about CSPSource::hostMatches(...) taken from
https://codereview.chromium.org/2612793002/

BUG=692505

Review-Url: https://codereview.chromium.org/2697853002
Cr-Commit-Position: refs/heads/master@{#450704}

[modify] https://crrev.com/a87a279a7fd622ca4130806c22e6cf2c9b3bc32e/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Comment 2 by ctengc...@gmail.com, Feb 21 2017 

Interesting, will CSP module implement a general high-perf host match engine in C++? I know AdBlock use (like bloom filter) to consolidate the matching performance.

If CSP enhance this feature, i thought it can be used to block subresource requests...

Comment 3 by mkwst@chromium.org, Feb 23 2017

Status: Available (was: Untriaged)

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment