Ship `nonce` content attribute hiding behavior. |
||||||
Issue description
,
Jun 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7bcb9ee52f2600bafddabaed884ccfea52916753 commit 7bcb9ee52f2600bafddabaed884ccfea52916753 Author: Mike West <mkwst@chromium.org> Date: Mon Jun 12 11:15:02 2017 Ship `nonce` attribute hiding behavior. Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wu_fMIYkyaQ/85j16Cg6BAAJ Bug: 731752 , 680419 Change-Id: I250e03b2fb614a21a2b7eb1a27b7a11a746e6fc8 Reviewed-on: https://chromium-review.googlesource.com/529249 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#478590} [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/virtual/stable/webexposed/element-instance-property-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/core/dom/NoncedElement.idl [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/core/svg/SVGScriptElement.idl [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5
,
Jun 13 2017
Dear release managers; flipping this flag addresses a security issue with our current implementation of the `nonce` attribute; the code behind the flag has been in the tree for weeks, we've just been held up with discussions with other browser vendors. I'd like to get this merged back to M60 to harden our CSP implementation, and make Google's security team marginally happier. :) WDYT?
,
Jun 13 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2017
Feature freeze for M60 was May 12, which is more than a few weeks ago. I appreciate the motivation, but I'm assuming this isn't strictly required for 60 and we've been in this state for a while, and we're really trying to cut down on the churn we see on branches - thus I'm going to reject for 60, let's ship with 61. Please feel free to re-apply the merge request label if you feel strongly this needs to ship with 60 or I've misinterpreted any of the context, I'm happy to discuss further.
,
Jun 22 2017
mkwst@ - Could you please provide any update on this issue as it has been marked as a stable blocker. Thanks...!!
,
Jun 27 2017
@mkwst:Just to update, Could you please update on this issue. Thank You!
,
Jul 3 2017
Gentle ping! Could you please update on this issue. Thank You!
,
Jul 7 2017
I don't know why this is marked as a stable blocker, I'm going to remove the tag.
,
Oct 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23 commit 8dc7ecf06ad9d333aa93f1a6306443d514e1bf23 Author: Andy Paicu <andypaicu@chromium.org> Date: Fri Oct 06 14:06:11 2017 Removed experimental feature/flag checks around nonces We shipped these features a while ago by flipping the flag to stable. This patch removes the flag entirely, as it's no longer necessary. Bug: 731752 Change-Id: I6dd79243d7a2152827abf125f1b0217c0388c2bd Reviewed-on: https://chromium-review.googlesource.com/704576 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#507054} [modify] https://crrev.com/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23/third_party/WebKit/Source/core/dom/NoncedElement.idl [modify] https://crrev.com/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23/third_party/WebKit/Source/core/html/HTMLElement.cpp [modify] https://crrev.com/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23/third_party/WebKit/Source/core/svg/SVGElement.cpp [modify] https://crrev.com/8dc7ecf06ad9d333aa93f1a6306443d514e1bf23/third_party/WebKit/Source/platform/runtime_enabled_features.json5
,
Oct 9 2017
Thanks for dropping the flag, Andy. Closing this out. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mkwst@chromium.org
, Jun 9 2017