568075bbc5d16239a5cbdeb579a8768f9836f13e - chromium/src

commit	568075bbc5d16239a5cbdeb579a8768f9836f13e	[log] [tgz]
author	mkwst <mkwst@chromium.org>	Thu Nov 19 11:54:24 2015
committer	Commit bot <commit-bot@chromium.org>	Thu Nov 19 11:55:10 2015
tree	dcfd2a1251dc5fe19c393543fa19412a0114bb7b
parent	be2192a008d572b272f21431c1142486d62b6a01 [diff]

CSP: Source expressions can no longer lock sites into insecurity.

CSP's matching algorithm has been updated to make clever folks like Yan
slightly less able to gather data on user's behavior based on CSP
reports[1]. This matches Firefox's existing behavior (they apparently
changed this behavior a few months ago, via a happy accident[2]), and
mitigates the CSP-variant of Sniffly[3].

On the dashboard at https://www.chromestatus.com/feature/6653486812889088.

[1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7

BUG=544765,558232

Review URL: https://codereview.chromium.org/1455973003

Cr-Commit-Position: refs/heads/master@{#360562}

3 files changed