Closed
Bug 1474537
Opened 6 years ago
Closed 6 years ago
CSP 'self' should translate to 'self' and not be resolved to actual self URI
Categories
(Core :: DOM: Security, enhancement, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox63 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
15.31 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
Currently we are not strictly spec compliant when returning the 'original-policy' in csp reports, because instead of 'self' we return https://foo.com' in case the page is hosted on foo.com. Instead we should return 'self' whenever 'self' appears in the policy. This is also needed within Bug 965637 where we need to serialize the CSP.
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
Hey Dan, please see comment 0 for explanation of the change here - This change actually makes us more spec compliant and fixes a bunch of web platform tests.
Attachment #8990932 -
Flags: review?(dveditz)
|
|
Assignee | |
Comment 2•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=32533dbbaeb66c190c6552ea7c09d61b56bf3aa1
|
||
Comment 3•6 years ago
|
||
Comment on attachment 8990932 [details] [diff] [review] bug_1474537_csp_self_translate_self.patch Review of attachment 8990932 [details] [diff] [review]: ----------------------------------------------------------------- Looks great, r=dveditz
Attachment #8990932 -
Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/113b601a3b59 CSP 'self' should translate to 'self' and not be resolved to actual self URI. r=dveditz
|
||
Comment 5•6 years ago
|
||
Backed out for failing mochitest and wpt Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=4fbeea69b10d7487b74de22de78065d5b326dca5 Failure logs: https://treeherder.mozilla.org/logviewer.html#?job_id=189130132&repo=mozilla-inbound&lineNumber=3535 https://treeherder.mozilla.org/logviewer.html#?job_id=189130548&repo=mozilla-inbound&lineNumber=7047 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/3539fcf9699308a1a05d5cec055321bb1220b0d5
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 6•6 years ago
|
||
This patch got pushed together with Bug 1475073 which caused a test failure, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1475073#c11
Flags: needinfo?(ckerschb)
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/91f5766f581b CSP 'self' should translate to 'self' and not be resolved to actual self URI. r=dveditz
|
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/91f5766f581b
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•