lib/csp.js - Issue 29377728: Issue 4866 - Add the child-src CSP directive back again for now

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Unified Diff: lib/csp.js

Issue 29377728: Issue 4866 - Add the child-src CSP directive back again for now (Closed)

Patch Set: Created March 1, 2017, 10:32 a.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Index: lib/csp.js

diff --git a/lib/csp.js b/lib/csp.js

index b1241a1873626aa212f6223969e574f2c4807c8b..fcbd40ef67b888e2ccf1d305fc7229c56227a585 100644

--- a/lib/csp.js

+++ b/lib/csp.js

@@ -34,13 +34,17 @@ chrome.webRequest.onHeadersReceived.addListener(details =>

// since the Chrome extension API does not allow us to intercept them.

// https://bugs.chromium.org/p/chromium/issues/detail?id=129353

- // We also need the frame-src and object-src restrictions since CSPs are

+ // We also need the child-src and object-src restrictions since CSPs are

// not inherited from the parent for documents with data: and blob: URLs.

// https://bugs.chromium.org/p/chromium/issues/detail?id=513860

+ // We must use the deprecated child-src directive instead of the

+ // combination of frame-src and worker-src directives since worker-src

+ // is not yet supported (as of Chrome 56.)

+ //

// "http:" also includes "https:" implictly.

// https://www.chromestatus.com/feature/6653486812889088

- value: "connect-src http:; frame-src http:; object-src http:"

+ value: "connect-src http:; child-src http:; object-src http:"

Wladimir Palant 2017/03/01 13:17:58 1.12.4 was using both frame-src and child-src. For

kzar 2017/03/01 14:41:18 Done.

});

return {responseHeaders: details.responseHeaders};

}

« no previous file with comments | « no previous file | no next file » | no next file with comments »