ab830edb26a1f56f660b06459d70e1d48a707975 - chromium/src

commit	ab830edb26a1f56f660b06459d70e1d48a707975	[log] [tgz]
author	Mike West <mkwst@google.com>	Tue Jan 12 08:56:39 2016
committer	Mike West <mkwst@google.com>	Tue Jan 12 08:59:26 2016
tree	24223031df8a42ee6720c567c81f1067709f0be6
parent	9f80eae6508185f7aed39f1f91a301d9ca18978a [diff]

CSP: Source expressions can no longer lock sites into insecurity.

CSP's matching algorithm has been updated to make clever folks like Yan
slightly less able to gather data on user's behavior based on CSP
reports[1]. This matches Firefox's existing behavior (they apparently
changed this behavior a few months ago, via a happy accident[2]), and
mitigates the CSP-variant of Sniffly[3].

On the dashboard at https://www.chromestatus.com/feature/6653486812889088.

[1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7

BUG=544765,558232

Review URL: https://codereview.chromium.org/1455973003

Cr-Commit-Position: refs/heads/master@{#360562}
(cherry picked from commit 568075bbc5d16239a5cbdeb579a8768f9836f13e)

Review URL: https://codereview.chromium.org/1581573002 .

Cr-Commit-Position: refs/branch-heads/2564@{#538}
Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}

3 files changed