New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 771922 link

Starred by 7 users
Status: Started
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature



Sign in to add a comment

CSP: unsafe-hashed-attributes

Project Member Reported by andypaicu@chromium.org, Oct 5 2017 
Implement and ship 'unsafe-hashed-attributes'


https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage

Comment 2 by andypaicu@chromium.org, Oct 9 2017

Status: Started (was: Assigned)

Comment 3 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 15 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32

commit cced8d86e2cb6448bc58d59f7b1e80c5a4829c32
Author: Andy Paicu <andypaicu@chromium.org>
Date: Mon Jan 15 10:58:54 2018

Prototype for backwards-compatible 'unsafe-hashed-attributes'

This prototype allows you to write backwards compatible CSP policies
using the CSP3 'unsafe-hashed-attributes' and the specific 'csp3-'
prefix that is only recognized by CSP3.

The prefix works with 'strict-dynamic' and  hashes.
e.g.
'csp3-strict-dynamic'
'csp3-sha256-wmuLCpoj8EMqfQlPnt5NIMgKkCK62CxAkAiewI0zZps='

Bug: 771922
Change-Id: I770bb3f5a16af5e69a390b1616287b7b9e3de4a8
Reviewed-on: https://chromium-review.googlesource.com/860644
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529243}
[add] https://crrev.com/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/csp3-experimental/csp3-strict-dynamic.html
[add] https://crrev.com/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/csp3-experimental/csp3_nonces.html
[add] https://crrev.com/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/csp3-experimental/csp3_script_event_handlers_allowed.html
[add] https://crrev.com/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/pass.png
[modify] https://crrev.com/cced8d86e2cb6448bc58d59f7b1e80c5a4829c32/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp

Comment 5 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 22 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6599d5ffc3361175ddb3facc75eee7546a9a01ac

commit 6599d5ffc3361175ddb3facc75eee7546a9a01ac
Author: Andy Paicu <andypaicu@chromium.org>
Date: Fri Jun 22 13:38:02 2018

Completed 'unsafe-hashes' per spec

'unsafe-hashed-attributes' renamed to 'unsafe-hashes'
'unsafe-hashes' matches style attributes correctly now
'unsafe-hashes' works for javascript: URLs
'unsafe-hashes' tests added and ammended

spec (approved and to be submitted at the same time as this CR):
https://github.com/w3c/webappsec-csp/pull/311

I2I: https://groups.google.com/a/chromium.org/d/msg/blink-dev/4dohVXDfEI4/tO6rhuv4AwAJ

Bug: 771922
Change-Id: I018cc0f73d492cb4057ff4c41d9be4df8438036c
Reviewed-on: https://chromium-review.googlesource.com/1095217
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569593}
[rename] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
[rename] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
[rename] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
[rename] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/style_attribute_allowed.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
[add] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/unsafe-hashes/support/child_window_location_navigate.sub.html
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/external/wpt/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-handler-allowed.html
[delete] https://crrev.com/ab51a7e0bf21fa1922d06f88a4fff592269b42fc/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/csp3-experimental/csp3_script_event_handlers_allowed.html
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/bindings/core/v8/script_controller.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/dom/element.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/exported/web_plugin_container_impl.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/csp_directive_list.h
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/source_list_directive.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/source_list_directive.h
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/frame/csp/source_list_directive_test.cc
[modify] https://crrev.com/6599d5ffc3361175ddb3facc75eee7546a9a01ac/third_party/blink/renderer/core/page/create_window.cc

Sign in to add a comment