Issue 893119 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ andypaicu@chromium.org Last visit > 30 days ago
Closed:	Oct 9
Components:	Blink>SecurityFeature>ContentSecurityPolicy
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

directive names should be parsed case-insensitive

Project Member Reported by andypaicu@chromium.org, Oct 8

Issue description

See: https://github.com/w3c/webappsec-csp/issues/236

Repro:
Write a policy that uses different case directives, for example: "script-SRC example.com; SCRIPT-src not-example.com"

Expected: the second directive should be marked as duplicate and ignored
Actual: Chrome treats `script-SRC` and `SCRIPT-src` as different directives, neither is treated as `scripts-src` though.

Project Member

Comment 1 by bugdroid1@chromium.org, Oct 9

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/df1bc466df241402ea15aa1fd8a3f23ec9cd8a78

commit df1bc466df241402ea15aa1fd8a3f23ec9cd8a78
Author: Andy Paicu <andypaicu@chromium.org>
Date: Tue Oct 09 10:51:28 2018

Directive names should be case-insensitive

Spec: https://w3c.github.io/webappsec-csp/#parse-serialized-policy
Fixed Chromium's behaviour
Added unit tests
Added WPT tests

Bug:  893119 
Change-Id: I0ee1114fd90a933071ff03c9a64b95431a17be95
Reviewed-on: https://chromium-review.googlesource.com/c/1268316
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597873}
[add] https://crrev.com/df1bc466df241402ea15aa1fd8a3f23ec9cd8a78/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/directive-name-case-insensitive.sub.html
[modify] https://crrev.com/df1bc466df241402ea15aa1fd8a3f23ec9cd8a78/third_party/blink/renderer/core/frame/csp/content_security_policy_test.cc
[modify] https://crrev.com/df1bc466df241402ea15aa1fd8a3f23ec9cd8a78/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc

Comment 2 by andypaicu@chromium.org, Oct 9

Status: Fixed (was: Started)

►

Issue 893119 link

Issue metadata

directive names should be parsed case-insensitive

Issue description

Comment 1 by bugdroid1@chromium.org, Oct 9

Comment 1 Deleted

Comment 2 by andypaicu@chromium.org, Oct 9

Comment 2 Deleted

Sign in to add a comment