None
https://github.com/w3c/webappsec-cspee/pull/28/files
Removes a special treatment for same-origin iframes from CSP Embedded Enforcement. This aligns the behavior of enforcing CSP Embedded Enforcement for cross-origin iframes and same-origin iframes.
Blink>SecurityFeature>ContentSecurityPolicy
The same-origin blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed an attack which was not possible before (example).
Additionally, this caused a bug where CSP nonce value enforced by CSPEE from a top frame had to exactly match nonce value served in grand-child frame, if the top frame and child frame are cross-origin, but child frame and grand-child frame are same-origin.
Given this part of blanket enforcement is rarely used (~0.000017%), let's remove this logic.
None
None
Not applicable
None
Gecko: Positive
WebKit: No signal
Web developers: No signals
Other signals:
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
None
None
None
False
https://bugs.chromium.org/p/chromium/issues/detail?id=1263288
M120
https://chromestatus.com/feature/5098158594195456
LGTM2
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org.
Also, please request cross-functional review bits in the
chromestatus entries.
LGTM2
LGTM
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/000000000000514b9c06079c71ba%40google.com.