-
Taeho Nam authored
CSP: Allow port upgrade when the both expression's scheme and port is 'http' and '443' when the scheme is upgradable <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' http://example.com:443;"> <script src="https://example.com"></script> In the above example, the source should be allowed because the URL is matched to the CSP expression because all the rules are satisfied including the port-part matching rule. See https://www.w3.org/TR/CSP3/ section 6.6.2.6. "Does url match expression in origin with redirect count?" and 6.6.2.9 "port-part matching". Chromium's current CSP implementation blocks the source because scheme-part matching function returns 'kMatchingUpgrade' but port-part matching function returns 'kMatchingExact' not 'kMatchingUpgrade'. This fix the port-part matching function to return 'kMatchingUpgrade' where both expression's scheme and port is equal to "http" and "443" when the scheme is upgradable(http->https). Bug: 892084 TEST: build and run blink_unittests Change-Id: Ic611b6b1e298a9c4f0457ba4a474475ae0b66250 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1890451Reviewed-by:
Mike West <mkwst@chromium.org> Reviewed-by:
Andy Paicu <andypaicu@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#711224}
3c519af4
