Issue metadata
Sign in to add a comment
|
Content Security Policy "connect-src" no longer accepts wildcard after last "/"
Reported by
dror.ozg...@gmail.com,
Apr 26 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 Steps to reproduce the problem: 1. Create a Content Security Policy with "connect-src https://www.foo.com/bar/*" 2. Attempt to go to https://www.foo.com/bar/foobar 3. Receive an error (Violating the Content Security Policy) 4. Change #1 to "connect-src https://www.foo.com/bar/" 5. Works What is the expected behavior? "connect-src https://www.foo.com/bar/*" and "connect-src https://www.foo.com/bar/" Should work What went wrong? Related to: https://chromium.googlesource.com/chromium/src/+/1b6330fb76698a0866f0232fdb3cac7b426f5df1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/blink-contrib/connect-src-eventsource-allowed.sub.html New commit starting in Chrome v.58 causes "/*" at the end of "connect-src" urls not to work anymore Did this work before? Yes Anything before Chrome v.58 Chrome version: 58.0.3029.81 Channel: stable OS Version: 6.3 Flash Version:
,
Apr 26 2017
Note: Other browsers seem to require the "/*" wildcard at the end of the "connect-src" urls to work properly. This is a breaking change.
,
Apr 26 2017
Created a bug under the correct Component: https://bugs.chromium.org/p/chromium/issues/detail?id=715589
,
Apr 26 2017
,
Aug 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 Deleted