Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make CSP default-src without 'unsafe-eval' block eval in iframes #24763

Merged
merged 1 commit into from Jul 30, 2020
Merged

Make CSP default-src without 'unsafe-eval' block eval in iframes #24763

merged 1 commit into from Jul 30, 2020

Conversation

chromium-wpt-export-bot
Copy link
Collaborator

@chromium-wpt-export-bot chromium-wpt-export-bot commented Jul 27, 2020
edited

This CL fixes the fallback behaviour of the Content Security Policy
script-src to default-src with regards to blocking eval in iframes
and, under certain conditions, when navigating to a new page.

Bug: 1107824
Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316105
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#792281}

wpt-pr-bot
wpt-pr-bot approved these changes Jul 27, 2020
View reviewed changes
Copy link
Collaborator

@wpt-pr-bot wpt-pr-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The review process for this patch is being conducted in the Chromium project.

@antosart @chromium-wpt-export-bot
Make CSP default-src without 'unsafe-eval' block eval in iframes
e074ca0 
This CL fixes the fallback behaviour of the Content Security Policy
script-src to default-src with regards to blocking eval in iframes
and, under certain conditions, when navigating to a new page.

Bug: 1107824
Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316105
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#792281}
@LukeZielinski
Copy link
Contributor

One of the new tests was flaky on chrome dev:

Unstable results

Test Subtest Results Messages
/content-security-policy/unsafe-eval/eval-in-iframe.html default-src blocks eval unless 'unsafe-eval' is specified. FAIL: 9/10, PASS: 1/10 assert_unreached: Eval code was executed in iframe Reached unreachable code

Unable to reproduce locally with ToT, retrying here.

@LukeZielinski LukeZielinski reopened this Jul 30, 2020
@chromium-wpt-export-bot chromium-wpt-export-bot merged commit a002a1a into master Jul 30, 2020
@chromium-wpt-export-bot chromium-wpt-export-bot deleted the chromium-export-cl-2316105 branch July 30, 2020 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wpt-pr-bot wpt-pr-bot wpt-pr-bot approved these changes

Assignees
No one assigned
Labels
chromium-export content-security-policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@chromium-wpt-export-bot @LukeZielinski @wpt-pr-bot @antosart