commit | 0b707cbaa2cb806162797be55caf9f8074fbdccf | [log] [tgz] |
---|---|---|
author | arthursonzogni <arthursonzogni@chromium.org> | Mon May 11 15:58:36 2020 |
committer | Commit Bot <commit-bot@chromium.org> | Mon May 11 15:58:36 2020 |
tree | 1b45e692b539746c19f59aac72a8d5175616fe66 | |
parent | ebd5d87b720b7ba9e03d2caf328e8b8f3e6090f9 [diff] |
Stop leaking cross-origin post-redirect data using StackTrace. Whenever a URL is provided to the ScriptSourceCode constructor, use the "request URL" instead of the "response URL". This avoids malicious website to get access to the post-redirect URL. They can get this by throwing an error and inspecting the error.stack. The new behavior can be observed in: 1) The 'source-file' in CSP violations reports. 2) The URL(s) in javascript stack traces. 3) How relative source map are resolved. After this patch (1), (2), (3) are now aligned with Firefox. After this patch (3) is now matching with the specification: https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit# This patch might break some client using devtool (See 3). A temporary command line argument is provided to restore the old behavior: --enable-features=UnsafeScriptReportPostRedirectURL If you are using this flag, please let us know by filling a bug on https://crbug.com This flags can potentially be used to restore the old behavior on stable using Finch if needed. If nobody is complaining about the new behavior. The flag can be removed after one release. Bug: 1074317 Change-Id: I3629a5a0f8d67c13127f08ab36dc3df69aa0f98f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2187792 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#767326}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .
For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.