Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 8af66de55aad from chromium #31524

Merged
merged 2 commits into from
Oct 25, 2021
Merged

chore: cherry-pick 8af66de55aad from chromium #31524

merged 2 commits into from
Oct 25, 2021

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Oct 21, 2021

Limit length of 'csp' attribute

Most servers limit the length of request headers anywhere. 4Kb seems
like a reasonable limit, which some popular http servers have by
default, and which we already enforce for Referer
(https://crrev.com/c/1595872).

I would have liked the constant 4096 to be shared between //content
and blink. This would have required putting it somewhere like in
//services/network or in //third_party/blink/common, creating a new
file for it. I thought it would be easier to avoid that for this
change.

It would be safer to not load the iframe document, or to impose some
very strict CSP like "default-src 'none'", instead than just ignoring
the 'csp' attribute if that's too long. However, ignoring is what we
already do if the attribute contains illegal characters or does not
match the CSP grammary or is not subsumed by the parent iframe's csp
attribute. For this change, I believe it's better to stay consistent
with that, and later change the CSPEE code to block loading in all
those cases.

Bug: 1233067
Change-Id: Ie9cd3db82287a76892cca76a0bf0d4a1613a3055
Fixed: 1233067
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057048
Commit-Queue: Antonio Sartori antoniosartori@chromium.org
Reviewed-by: Arthur Sonzogni arthursonzogni@chromium.org
Reviewed-by: Mike West mkwst@chromium.org
Cr-Commit-Position: refs/heads/main@{#914730}

Notes: Backported fix for 1233067.

@ppontes ppontes requested a review from a team as a code owner October 21, 2021 14:20
@ppontes ppontes added 14-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes labels Oct 21, 2021
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Oct 21, 2021
@ppontes ppontes force-pushed the cherry-pick/14-x-y/chromium/8af66de55aad branch from 13de865 to 7dcf96e Compare October 22, 2021 09:01
@zcbenz zcbenz merged commit 018bee3 into 14-x-y Oct 25, 2021
@zcbenz zcbenz deleted the cherry-pick/14-x-y/chromium/8af66de55aad branch October 25, 2021 00:47
@release-clerk
Copy link

release-clerk bot commented Oct 25, 2021

Release Notes Persisted

Backported fix for 1233067.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

@zcbenz zcbenz zcbenz approved these changes

Assignees
No one assigned
Labels
14-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ppontes @jkleinsc @zcbenz