Release merge_pr_9316: CSP: initial blank page inherits 'self'. · valerioadm/wpt

merge_pr_9316
bc25d28
Compare

Choose a tag to compare

Loading

View all tags

merge_pr_9316: CSP: initial blank page inherits 'self'.

merge_pr_9316
bc25d28
Compare

Choose a tag to compare

Loading

View all tags

ArthurSonzogni tagged this 02 Feb 11:07

Content-Security-Policy: The CSP source 'self' is usually the origin of
the current document. Immediately after an new window or new frame is
created, there are no current document. In this case, the origin used is
the one of the opener (in case of a new window) or the parent (in case of a
new iframe).

For you intention: The frame's CSP are already the one of its opener when
there are still no committed document. It makes sense to do the same
with 'self'.

Several web platform tests are added.

Bug: 807206
Change-Id: I2acf66d9b6d63d4efb14370a4d0ff2206c943aeb
Reviewed-on: https://chromium-review.googlesource.com/895589
Commit-Queue: Arthur Sonzogni <[email protected]>
Reviewed-by: Alex Moshchuk <[email protected]>
Reviewed-by: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#534017}

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly