Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP: initial blank page inherits 'self'. #9316

Merged
merged 1 commit into from Feb 2, 2018

Conversation

Projects
None yet
4 participants
@chromium-wpt-export-bot
Copy link
Collaborator

chromium-wpt-export-bot commented Jan 31, 2018

Content-Security-Policy: The CSP source 'self' is usually the origin of
the current document. Immediately after an new window or new frame is
created, there are no current document. In this case, the origin used is
the one of the opener (in case of a new window) or the parent (in case of a
new iframe).

For you intention: The frame's CSP are already the one of its opener when
there are still no committed document. It makes sense to do the same
with 'self'.

Several web platform tests are added.

Bug: 807206
Change-Id: I2acf66d9b6d63d4efb14370a4d0ff2206c943aeb
Reviewed-on: https://chromium-review.googlesource.com/895589
Commit-Queue: Arthur Sonzogni arthursonzogni@chromium.org
Reviewed-by: Alex Moshchuk alexmos@chromium.org
Reviewed-by: Mike West mkwst@chromium.org
Cr-Commit-Position: refs/heads/master@{#534017}

@wpt-pr-bot
Copy link
Collaborator

wpt-pr-bot left a comment

Already reviewed downstream.

@w3c-bots

This comment has been minimized.

Copy link

w3c-bots commented Jan 31, 2018

Build PASSED

Started: 2018-02-02 10:58:06
Finished: 2018-02-02 11:04:47

Failing Jobs

  • safari:11.0

Unstable Results

Browser: "Safari 11.0" (failures allowed)

View in: WPT PR Status | TravisCI

Test Subtest Results Messages
/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html   OK: 9
ERROR: 1
  form submission targetting _blank allowed after a redirect PASS: 9

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-895589 branch 3 times, most recently from f0d1267 to 6482f92 Feb 1, 2018

CSP: initial blank page inherits 'self'.
Content-Security-Policy: The CSP source 'self' is usually the origin of
the current document. Immediately after an new window or new frame is
created, there are no current document. In this case, the origin used is
the one of the opener (in case of a new window) or the parent (in case of a
new iframe).

For you intention: The frame's CSP are already the one of its opener when
there are still no committed document. It makes sense to do the same
with 'self'.

Several web platform tests are added.

Bug: 807206
Change-Id: I2acf66d9b6d63d4efb14370a4d0ff2206c943aeb
Reviewed-on: https://chromium-review.googlesource.com/895589
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534017}

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-895589 branch from 6482f92 to ee03fa2 Feb 2, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot merged commit bc25d28 into master Feb 2, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@chromium-wpt-export-bot chromium-wpt-export-bot deleted the chromium-export-cl-895589 branch Feb 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.