RESOLVED FIXED 100883
CSP: Warn when old-style directives encountered on the canonical header. 
https://bugs.webkit.org/show_bug.cgi?id=100883
Summary CSP: Warn when old-style directives encountered on the canonical header.
Mike West
Reported 2012-10-31 13:17:10 PDT
If we see directives named 'allow', 'options', 'frame-ancestors', or 'policy-uri', we might want to throw a special warning. In the spirit of failing closed, we might even want to treat 'allow' like 'default-src' (as well as throwing a warning). WDYT, Adam?
Attachments
Patch (20.57 KB, patch)
2012-10-31 15:38 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch for landing. (23.38 KB, patch)
2012-11-01 04:00 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch for landing (23.16 KB, patch)
2012-11-01 10:10 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-10-31 13:17:54 PDT
Lets start with a warning and see how far that gets us.
Mike West
Comment 2 2012-10-31 15:38:12 PDT
Created attachment 171733 [details] Patch
Mike West
Comment 3 2012-10-31 15:38:48 PDT
Strawman warning text. WDYT?
Build Bot
Comment 4 2012-10-31 22:17:27 PDT
Comment on attachment 171733 [details] Patch Attachment 171733 [details] did not pass mac-ews (mac): Output: http://queues.webkit.org/results/14561485 New failing tests: http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html http/tests/security/contentSecurityPolicy/object-src-url-allowed.html http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
Mike West
Comment 5 2012-11-01 04:00:50 PDT
Created attachment 171807 [details] Patch for landing.
Mike West
Comment 6 2012-11-01 04:01:18 PDT
Comment on attachment 171807 [details] Patch for landing. Carrying over Adam's r+.
WebKit Review Bot
Comment 7 2012-11-01 04:58:45 PDT
Comment on attachment 171807 [details] Patch for landing. Attachment 171807 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/14678499 New failing tests: inspector-protocol/debugger-pause-dedicated-worker.html
Mike West
Comment 8 2012-11-01 07:47:39 PDT
Comment on attachment 171807 [details] Patch for landing. Looks unrelated. Let's see what the CQ says.
WebKit Review Bot
Comment 9 2012-11-01 08:46:03 PDT
Comment on attachment 171807 [details] Patch for landing. Rejecting attachment 171807 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: webkit-commit-queue/Source/WebKit/chromium/webkit --revision 165171 --non-interactive --force --accept theirs-conflict --ignore-externals' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' 51>At revision 165171. ________ running '/usr/bin/python tools/clang/scripts/update.py --mac-only' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/14561641
Mike West
Comment 10 2012-11-01 10:10:11 PDT
Created attachment 171884 [details] Patch for landing
WebKit Review Bot
Comment 11 2012-11-01 10:46:51 PDT
Comment on attachment 171884 [details] Patch for landing Clearing flags on attachment: 171884 Committed r133193: <http://trac.webkit.org/changeset/133193>
WebKit Review Bot
Comment 12 2012-11-01 10:46:54 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.