Remove same-origin blanket enforcement #28
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@antosart, could you PTAL? Also, while I'm part of W3C WebAppSec and I've linked my gihub accout, it seems like IPR still has some issue. Is there any specific issue to this repo that I need to do? |
antosart
approved these changes
Sep 6, 2023
|
Looks fine to me. I don't know about the ipr check though. |
jmyljml36
reviewed
Jan 11, 2024
There was a problem hiding this comment.
مغلق
#28 إزالة الإنفاذ الشامل من نفس الأصل حذف تلقائي ونهائي جميع قم بإزالة التنفيذ الشامل من نفس الأصل في CSPEE إزالة البيانات: عنوان URL في SVGUseElement CSS :dir() محدد الفئة الزائفة إهمال وإزالة دعم Theora.حذف تلقائي ونهائي دعم Theora على متغيرات Chromium لسطح المكتب.
|
مغلق |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The blanket enforcement logic specific to same-origin iframes exposes a new way to block certain resources from loading in the iframe. This allowed attacks which were not possible before (example).
Additionally, this caused a bug where CSP nonce value enforced by CSPEE from a top frame had to exactly match nonce value served in grand-child frame, if the top frame and child frame are cross-origin, but child frame and grand-child frame are same-origin.
Given this part of blanket enforcement is rarely used (~0.000015%), let's remove this logic.
Fixes: #26