Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Navigate-to current implementation level. #10071

Merged
merged 1 commit into from May 17, 2018

Conversation

Projects
None yet
6 participants
@chromium-wpt-export-bot
Copy link
Collaborator

chromium-wpt-export-bot commented Mar 16, 2018

This feature is getting to big for a single code review so I'm splitting it up.
This is all behind the experimental CSP features flag.

What is covered:
The 'navigate-to' directive is now parsed and understood
The navigation relevant directives are passed as part of common params
A navigation csp context is created out of the navigation relevant directives
This navigation csp context is used to perform the 'navigate-to' checks

What is not covered but I will cover in future CRs:
securitypolicyviolation events are raised on the wrong host because we don't know
what the initiator is
CSP reports are sent using the current frame host as an intermediary which has
negative security implications
There are no WPT tests for the 'unsafe-allow-redirects' flag, only unit tests

I2S: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/EJ4xF_DwZyk
Spec: https://w3c.github.io/webappsec-csp/#directive-navigate-to

Bug: 805886
Change-Id: Iaab324163dbe7389dcd440afa1ee51c0de215401

TBR=jochen@chromium.org

Change-Id: Iaab324163dbe7389dcd440afa1ee51c0de215401
Reviewed-on: https://chromium-review.googlesource.com/957726
Commit-Queue: Andy Paicu andypaicu@chromium.org
Reviewed-by: Jochen Eisinger jochen@chromium.org
Reviewed-by: Alex Moshchuk alexmos@chromium.org
Cr-Commit-Position: refs/heads/master@{#559026}

@wpt-pr-bot
Copy link
Collaborator

wpt-pr-bot left a comment

Already reviewed downstream.

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch from 057c2c0 to 3c7d369 Mar 16, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot changed the title Navigate-to current implementation level Navigate-to current implementation level. Mar 16, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch from 3c7d369 to 6329327 Mar 16, 2018

@w3c-bots

This comment has been minimized.

Copy link

w3c-bots commented Mar 16, 2018

Build PASSED

Started: 2018-03-16 12:39:40
Finished: 2018-03-16 13:26:29

View more information about this build on:

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch 3 times, most recently from 6746acf to 20b484d Apr 6, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch from 20b484d to 6cdefb7 Apr 18, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch 3 times, most recently from a3f5ca7 to 2ba1d10 Apr 26, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch 2 times, most recently from 71d0ae0 to b44bd73 May 7, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-957726 branch from b44bd73 to 0ed73f3 May 16, 2018

Navigate-to current implementation level.
This feature is getting to big for a single code review so I'm splitting it up.
This is all behind the experimental CSP features flag.

What is covered:
The 'navigate-to' directive is now parsed and understood
The navigation relevant directives are passed as part of common params
A navigation csp context is created out of the navigation relevant directives
This navigation csp context is used to perform the 'navigate-to' checks

What is not covered but I will cover in future CRs:
securitypolicyviolation events are raised on the wrong host because we don't know
what the initiator is
CSP reports are sent using the current frame host as an intermediary which has
negative security implications
There are no WPT tests for the 'unsafe-allow-redirects' flag, only unit tests

I2S: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/EJ4xF_DwZyk
Spec: https://w3c.github.io/webappsec-csp/#directive-navigate-to

Bug: 805886
Change-Id: Iaab324163dbe7389dcd440afa1ee51c0de215401

TBR=jochen@chromium.org

Change-Id: Iaab324163dbe7389dcd440afa1ee51c0de215401
Reviewed-on: https://chromium-review.googlesource.com/957726
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559026}
@Hexcles

This comment has been minimized.

Copy link
Member

Hexcles commented May 17, 2018

@foolip this needs to be admin-merged. Too many tests are affected.

The Chrome job passed without seeing any flakes; the Firefox job eventually timed out, but didn't see any flake, either.

@foolip foolip merged commit 4f3d1a8 into master May 17, 2018

1 check failed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details

@foolip foolip deleted the chromium-export-cl-957726 branch May 17, 2018

@foolip

This comment has been minimized.

Copy link
Contributor

foolip commented May 17, 2018

Thanks @Hexcles, merged!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.