Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?
TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |
Ugh. Actually adding you, Simon. 😊
Copy/pasting from the comment I didn't send you: Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?
TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |
Code-Review | +1 |
Ugh. Actually adding you, Simon. 😊
Copy/pasting from the comment I didn't send you: Hey Simon! If I clean this up and get it past our friendly bindings team (and update all the tests), would you accept it as a replacement for the check we agreed upon in https://chromium-review.googlesource.com/c/chromium/src/+/5287414?
TL;DR: Same model as `SecureContext`: skip runtime checks by limiting the API's exposure in the first place.
If I understand this right, the only difference would be that the API doesn't even show up in non-strict-csp-contexts (instead of the current runtime check)? Are there any other differences?
If not, I think this is cool, thanks.
LGTM % nits
return GetContentSecurityPolicy()->IsStrictPolicyEnforced();
Do we also want to check `RequiresTrustedTypes` here? If not, I'd suggest to name the idl attribute something along the lines of `StrictCsp`.
MeasureAs = GetAllScreensMedia, InjectionMitigated
Based on my conversations with the security folks, I'd be hesitant naming this `InjectionMitigated`. To my understanding CSP (and trusted types?) is mostly a mitigation for client side xss attacks.
@a...@google.com do you have an opinion on this?
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |
MeasureAs = GetAllScreensMedia, InjectionMitigated
Based on my conversations with the security folks, I'd be hesitant naming this `InjectionMitigated`. To my understanding CSP (and trusted types?) is mostly a mitigation for client side xss attacks.
@a...@google.com do you have an opinion on this?
I'd be fine with `InjectionMitigated` - XSS almost always depends on an injection of HTML into a page, and CSP (and Trusted Types) is meant to mitigate the impact of such injections (i.e. not allow them to lead to script execution on the page). So the name makes sense to me.
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |
return GetContentSecurityPolicy()->IsStrictPolicyEnforced();
One further remark: we will need to support `getAllScreensMedia` in CSP and isolated web apps for some time (to enable developers to pivot to IWAs) and I think the strict CSP we check here does not 1to1 match the [IWA CSP](https://github.com/WICG/isolated-web-apps).
This makes me wonder if this function should also return true if we are in an isolated context:
```
const auto* csp = GetContentSecurityPolicy();
return (csp->IsStrictPolicyEnforced() && csp->RequiresTrustedTypes) || IsIsolatedContext();
```
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |
Exportable changes to web-platform-tests were detected in this CL and a pull request in the upstream repo has been made: https://github.com/web-platform-tests/wpt/pull/45902.
When this CL lands, the bot will automatically merge the PR on GitHub if the required GitHub checks pass; otherwise, ecosystem-infra@ team will triage the failures and may contact you.
WPT Export docs:
https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md#Automatic-export-process
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. | Gerrit |