Also, please request cross-functional review bits in the chromestatus
entries.
On 10/6/23 10:59 AM, Mike Taylor wrote:
LGTM2
On 10/4/23 6:38 AM, Yoav Weiss wrote:
LGTM1
Usage seems low enough to make this safe still.
On Friday, September 29, 2023 at 2:24:11 AM UTC+2 Jun Kokatsu wrote:
Contact emails
jkoka...@google.com
Explainer
None
Specification
https://github.com/w3c/webappsec-cspee/pull/28/files
<https://github.com/w3c/webappsec-cspee/pull/28/files>
Summary
Removes a special treatment for same-origin iframes from CSP
Embedded Enforcement. This aligns the behavior of enforcing CSP
Embedded Enforcement for cross-origin iframes and same-origin
iframes.
Blink component
Blink>SecurityFeature>ContentSecurityPolicy
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy>
Motivation
The same-origin blanket enforcement logic specific to same-origin
iframes exposes a new way to block certain resources from loading
in the iframe. This allowed an attack which was not possible
before (example
<https://github.com/google/google-ctf/tree/master/2023/quals/web-biohazard/solution#reviving-xss-auditor-primitive>).
Additionally, this caused a bug
<https://github.com/w3c/webappsec-cspee/issues/26>where CSP nonce
value enforced by CSPEE from a top frame had to exactly match
nonce value served in grand-child frame, if the top frame and
child frame are cross-origin, but child frame and grand-child
frame are same-origin.
Given this part of blanket enforcement is rarely used (~0.000017%
<https://chromestatus.com/metrics/feature/timeline/popularity/4599>),
let's remove this logic.
Initial public proposal
None
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Gecko: Positive
<https://github.com/mozilla/standards-positions/issues/878>
WebKit: No signal
<https://github.com/WebKit/standards-positions/issues/251>
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
None
Debuggability
None
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes <https://github.com/web-platform-tests/wpt/pull/41926>
Flag name on chrome://flags
None
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1263288
<https://bugs.chromium.org/p/chromium/issues/detail?id=1263288>
Estimated milestones
M120
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5098158594195456
<https://chromestatus.com/feature/5098158594195456>
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d968fa5a-7c9f-4c2e-9a42-8dd3e468fa63n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b60a84ef-28d1-471f-9145-5abcdb6befd1%40chromium.org.