commit | cff0ff189857308de7cdaed08a808669f1513cac | [log] [tgz] |
---|---|---|
author | Christian Biesinger <cbiesinger@chromium.org> | Thu May 12 18:30:26 2022 |
committer | Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> | Thu May 12 18:37:50 2022 |
tree | 7b5a8c738897fc9ed1237c1ddaa32eb7c9421966 | |
parent | 7f4089c1f0ba37dc51fb3a220f8719ff98863374 [diff] |
[FedCM] Only compare origins, not paths, for CSP checks For compatibility with existing deployments, only compare origins. This has been discussed and agreed with Chrome Security in https://docs.google.com/document/d/16OwWXqg4tueno7xkQU7TPrF-qJle3KFqRUMHCFQ3rug/edit Fixed: 1320724 Change-Id: I2758727149757cef835cd10b4c4d04897f234098 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3630577 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Yi Gu <yigu@chromium.org> Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/main@{#1002743}
diff --git a/credential-management/fedcm.https.html.headers b/credential-management/fedcm.https.html.headers index e907cdd..408f782 100644 --- a/credential-management/fedcm.https.html.headers +++ b/credential-management/fedcm.https.html.headers
@@ -1 +1 @@ -Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.test +Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.test/never/used/path