commit | ab830edb26a1f56f660b06459d70e1d48a707975 | [log] [tgz] |
---|---|---|
author | Mike West <mkwst@google.com> | Tue Jan 12 08:56:39 2016 |
committer | Mike West <mkwst@google.com> | Tue Jan 12 08:59:26 2016 |
tree | 24223031df8a42ee6720c567c81f1067709f0be6 | |
parent | 9f80eae6508185f7aed39f1f91a301d9ca18978a [diff] |
CSP: Source expressions can no longer lock sites into insecurity. CSP's matching algorithm has been updated to make clever folks like Yan slightly less able to gather data on user's behavior based on CSP reports[1]. This matches Firefox's existing behavior (they apparently changed this behavior a few months ago, via a happy accident[2]), and mitigates the CSP-variant of Sniffly[3]. On the dashboard at https://www.chromestatus.com/feature/6653486812889088. [1]: https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218524#c2 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1218778#c7 BUG=544765,558232 Review URL: https://codereview.chromium.org/1455973003 Cr-Commit-Position: refs/heads/master@{#360562} (cherry picked from commit 568075bbc5d16239a5cbdeb579a8768f9836f13e) Review URL: https://codereview.chromium.org/1581573002 . Cr-Commit-Position: refs/branch-heads/2564@{#538} Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}