diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-06-13 12:54:12 +0200 |
|---|---|---|
| committer | Alexandru Croitor <alexandru.croitor@qt.io> | 2017-07-07 09:16:03 +0000 |
| commit | 5636374d4cb7b81ec65d98ce9b7be26deee5ad54 (patch) | |
| tree | be3598849fe55cc7a284b940ba7b2292abd2d071 | |
| parent | 70418264d9bec198284fa88d9568a070666ab48f (diff) | |
[Backport] Fix for CVE-2017-5075
CSP: Strip the fragment from reported URLs.
We should have been stripping the fragment from the URL we report for
CSP violations, but we weren't. Now we are, by running the URLs through
`stripURLForUseInReport()`, which implements the stripping algorithm
from CSP2: https://www.w3.org/TR/CSP2/#strip-uri-for-reporting
Eventually, we will migrate more completely to the CSP3 world that
doesn't require such detailed stripping, as it exposes less data to the
reports, but we're not there yet.
BUG=678776
Change-Id: I5be2c130611e834f3dc6a04ecaf926e09d74ac3f
Review-Url: https://codereview.chromium.org/2619783002
Cr-Commit-Position: refs/heads/master@{#458045}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp index de8189d6a74..4326749e2b2 100644 --- a/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp +++ b/chromium/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp @@ -691,10 +691,12 @@ static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventI // If this load was blocked via 'frame-ancestors', then the URL of |document| has not yet // been initialized. In this case, we'll set both 'documentURI' and 'blockedURI' to the // blocked document's URL. - init.setDocumentURI(blockedURL.string()); - init.setBlockedURI(blockedURL.string()); + String strippedURL = stripURLForUseInReport(document, blockedURL); + init.setDocumentURI(strippedURL); + init.setBlockedURI(strippedURL); } else { - init.setDocumentURI(document->url().string()); + String strippedURL = stripURLForUseInReport(document, document->url()); + init.setDocumentURI(strippedURL); init.setBlockedURI(stripURLForUseInReport(document, blockedURL)); } init.setReferrer(document->referrer()); |