LGTM1 Usage seems low enough to make this safe still.
On Friday, September 29, 2023 at 2:24:11 AM UTC+2 Jun Kokatsu wrote: > Contact emails > > jkoka...@google.com > > Explainer > > None > > Specification > > https://github.com/w3c/webappsec-cspee/pull/28/files > > Summary > > Removes a special treatment for same-origin iframes from CSP Embedded > Enforcement. This aligns the behavior of enforcing CSP Embedded Enforcement > for cross-origin iframes and same-origin iframes. > > > Blink component > > Blink>SecurityFeature>ContentSecurityPolicy > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> > > Motivation > > The same-origin blanket enforcement logic specific to same-origin iframes > exposes a new way to block certain resources from loading in the iframe. > This allowed an attack which was not possible before (example > <https://github.com/google/google-ctf/tree/master/2023/quals/web-biohazard/solution#reviving-xss-auditor-primitive>). > > > > > Additionally, this caused a bug > <https://github.com/w3c/webappsec-cspee/issues/26> where CSP nonce value > enforced by CSPEE from a top frame had to exactly match nonce value served > in grand-child frame, if the top frame and child frame are cross-origin, > but child frame and grand-child frame are same-origin. > > > Given this part of blanket enforcement is rarely used (~0.000017% > <https://chromestatus.com/metrics/feature/timeline/popularity/4599>), > let's remove this logic. > > > Initial public proposal > > None > > TAG review > > None > > TAG review status > > Not applicable > > Risks > > Interoperability and Compatibility > > None > > > Gecko: Positive > <https://github.com/mozilla/standards-positions/issues/878> > > WebKit: No signal > <https://github.com/WebKit/standards-positions/issues/251> > > Web developers: No signals > > Other signals: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes <https://github.com/web-platform-tests/wpt/pull/41926> > > Flag name on chrome://flags > > None > > Finch feature name > > None > > Non-finch justification > > None > > Requires code in //chrome? > > False > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1263288 > > Estimated milestones > > M120 > > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5098158594195456 > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org.
