commit | 568075bbc5d16239a5cbdeb579a8768f9836f13e | [log] [tgz] |
---|---|---|
author | mkwst <mkwst@chromium.org> | Thu Nov 19 11:54:24 2015 |
committer | Commit bot <commit-bot@chromium.org> | Thu Nov 19 11:55:10 2015 |
tree | dcfd2a1251dc5fe19c393543fa19412a0114bb7b | |
parent | be2192a008d572b272f21431c1142486d62b6a01 [diff] |
CSP: Source expressions can no longer lock sites into insecurity. CSP's matching algorithm has been updated to make clever folks like Yan slightly less able to gather data on user's behavior based on CSP reports[1]. This matches Firefox's existing behavior (they apparently changed this behavior a few months ago, via a happy accident[2]), and mitigates the CSP-variant of Sniffly[3]. On the dashboard at https://www.chromestatus.com/feature/6653486812889088. [1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7 BUG=544765,558232 Review URL: https://codereview.chromium.org/1455973003 Cr-Commit-Position: refs/heads/master@{#360562}