Fix source list intersection algorithm #18
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The previous version of the algorithm computed a wrong intersection for the following example: A = http://*.org:*/index.html B = http://*.org http://*.example.org:*/index.html . While the correct intersection clearly is C = http://*.org/index.html http://*.example.org:*/index.html , the previous version of the algorithm disregarded the first match and instead just returned C' = http://*.example.org:*/index.html , which is stricter than the real intersection and hence makes it easier for the returned policy to be subsumed by the required one.
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 1, 2020
As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 2, 2020
As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 2, 2020
As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799}
pull bot
pushed a commit
to FreddyZeng/chromium
that referenced
this pull request
Sep 2, 2020
As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Sep 8, 2020
…EE in blink, a=testonly Automatic update from web-platform-tests Fix CSP source list intersection for CSPEE in blink As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799} -- wpt-commits: 953dd708a465fc3f89a6c74812cc18b62bbfc724 wpt-pr: 25322
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Sep 16, 2020
…EE in blink, a=testonly Automatic update from web-platform-tests Fix CSP source list intersection for CSPEE in blink As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#803799} -- wpt-commits: 953dd708a465fc3f89a6c74812cc18b62bbfc724 wpt-pr: 25322 UltraBlame original commit: 1bc560f22f1205745b327602101708d9882a7482
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Sep 16, 2020
…EE in blink, a=testonly Automatic update from web-platform-tests Fix CSP source list intersection for CSPEE in blink As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#803799} -- wpt-commits: 953dd708a465fc3f89a6c74812cc18b62bbfc724 wpt-pr: 25322 UltraBlame original commit: 1bc560f22f1205745b327602101708d9882a7482
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Sep 16, 2020
…EE in blink, a=testonly Automatic update from web-platform-tests Fix CSP source list intersection for CSPEE in blink As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzognichromium.org> Reviewed-by: Mike West <mkwstchromium.org> Commit-Queue: Antonio Sartori <antoniosartorichromium.org> Cr-Commit-Position: refs/heads/master{#803799} -- wpt-commits: 953dd708a465fc3f89a6c74812cc18b62bbfc724 wpt-pr: 25322 UltraBlame original commit: 1bc560f22f1205745b327602101708d9882a7482
ambroff
pushed a commit
to ambroff/gecko
that referenced
this pull request
Nov 4, 2020
…EE in blink, a=testonly Automatic update from web-platform-tests Fix CSP source list intersection for CSPEE in blink As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799} -- wpt-commits: 953dd708a465fc3f89a6c74812cc18b62bbfc724 wpt-pr: 25322
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
As explained in w3c/webappsec-cspee#18, Content-Security-Policy: Embedded Enforcement source list intersection algorithm sometimes computes a wrong intersection of two lists of source expressions. Additionally, blink CSPEE source intersection algorithm was computing a wrong intersection for http://*.com and http://*.example.com. We fix those problems and add a unit test and WP tests. Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2385458 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#803799} GitOrigin-RevId: 0ac6556f729e4c51e70f4a7091cbf2f662885638
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previous version of the algorithm computed a wrong intersection
for the following example:
While the correct intersection clearly is
the previous version of the algorithm disregarded the first match and
instead just returned
which is stricter than the real intersection and hence makes it easier
for the returned policy to be subsumed by the required one.