CSP: Do not strip non webby URL in reports. #31578
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In https://crbug.com/1264789, developers complained non HTTP/HTTPS URLs
are not included in reports.
The restriction was mostly introduced by:
https://codereview.chromium.org/2002943002 for convenience, in order to
reuse KURL::StrippedForUseAsReferrer.
The drawback is that "webpack://node_modules/sample/script4.js" is
transformed into "webpack", since its protocol is not http/https.
This patch initially wanted to remove this restrictions by rewriting our
own version of StrippedForUseAsReferrer, without the inconvenience, and
most importantly, add 14 WPT test cases.
Last minute, I wrote a specification:
w3c/webappsec-csp#527 and decided to prefer
using an allow-list containing ['http', 'https'] instead of a
block-list. As a result, 'webpack:' URLs continue to be stripped down to
their scheme. Sorry...
Note: There are some scheme we don't want to expose, like
['chrome-extension', 'moz-extension'].
Bug: 1264789
Change-Id: Ia967c3122915a37b119321bb327e6c969d649020
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3263879
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/main@{#944975}