Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security Policy fixes #11552

Merged
merged 1 commit into from May 19, 2016

Conversation

@ggreer
Copy link
Contributor

commented Apr 20, 2016

Add blob: protocol to img-src and media-src sources. Add data: and mediastream: protocols to media-src.

These changes are needed to fix video chat in the Floobits Atom plugin (issue Floobits/floobits-atom#114). A CSP directive of default-src: * doesn't cover protocols like blob:, data:, or mediastream:, which the Floobits package uses.

Content Security Policy fixes. Add blob: protocol to img-src and medi…
…a-src sources. Add data: and mediastream: protocols to media-src.

@50Wliu 50Wliu added the needs-review label Apr 20, 2016

@ggreer

This comment has been minimized.

Copy link
Contributor Author

commented Apr 21, 2016

I'm not sure what the Travis CI failure is about. It looks like some sort of unrelated timeout.

@lee-dohm lee-dohm added the atom label Apr 21, 2016

@mertkahyaoglu

This comment has been minimized.

Copy link
Contributor

commented May 5, 2016

I need this in my project as well. The code below is not working right now;
video.src = window.URL.createObjectURL(stream)

@ggreer

This comment has been minimized.

Copy link
Contributor Author

commented May 9, 2016

Can you please merge my PR? This bug is costing me money.

@lee-dohm

This comment has been minimized.

Copy link
Member

commented May 19, 2016

We're still looking in to this to ensure there aren't any unforeseen consequences. Relaxing the security could cause problems that we haven't seen before. The developers are looking into it and if they give the thumbs up, we'll go ahead and merge this. I'll have another update for you on Friday.

@ggreer

This comment has been minimized.

Copy link
Contributor Author

commented May 19, 2016

This patch actually gets CSP behavior closer to what it used to be. Chromium has been tightening down how they parse CSP headers. The CSP line in the Atom source has been the same for years, but only recently did a new enough version of Chromium (in the form of Electron) ship in Atom to cause breakage.

See https://bugs.chromium.org/p/chromium/issues/detail?id=473904 for more patchsets related to stricter CSP parsing.

@lee-dohm

This comment has been minimized.

Copy link
Member

commented May 19, 2016

Talked it over with the devs and the security experts. They gave the 👍

@lee-dohm lee-dohm merged commit 43e5359 into atom:master May 19, 2016

1 of 2 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details

BinaryMuse added a commit that referenced this pull request May 19, 2016

Merge pull request #11552 from Floobits/csp_fixes
Content Security Policy fixes

BinaryMuse added a commit that referenced this pull request May 19, 2016

Merge pull request #11552 from Floobits/csp_fixes
Content Security Policy fixes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.