Skip to content

Fixes #213#214

Merged
michaelficarra merged 1 commit intomasterfrom
213
Dec 22, 2018
Merged

Fixes #213#214
michaelficarra merged 1 commit intomasterfrom
213

Conversation

@shekyan
Copy link
Copy Markdown
Contributor

@shekyan shekyan commented Dec 18, 2018

and tests commutativity

@shekyan shekyan force-pushed the 213 branch 2 times, most recently from 3ade180 to 36b24e0 Compare December 18, 2018 22:50
michaelficarra
michaelficarra reviewed Dec 18, 2018
View reviewed changes
src/main/java/com/shapesecurity/salvation/data/Policy.java Outdated
other.optimise();
}

private static void checkForMergeValidity(@Nonnull Policy p) {
Copy link
Copy Markdown
Member

@michaelficarra michaelficarra Dec 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably turn this into an instance method now.

Copy link
Copy Markdown
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

michaelficarra
michaelficarra reviewed Dec 19, 2018
View reviewed changes
src/test/java/com/shapesecurity/salvation/PolicyMergeTest.java
q = parse("frame-ancestors 'self'");
p.union(q);
assertEquals("frame-ancestors 'self'", p.show());
assertEquals("", p.show());
Copy link
Copy Markdown
Member

@michaelficarra michaelficarra Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this one was correct before.

Copy link
Copy Markdown
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would think so too, but frame-ancestors 'none' 'none' contains invalid source-list thus invalidates the directive. Union merging empty policy with anything produces empty policy.

Copy link
Copy Markdown
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the other hand, per https://w3c.github.io/webappsec-csp/#parse-serialized-policy step 7, invalid source-list produces an empty directive-value, which brings us to recent discussion. WDYT?

Copy link
Copy Markdown
Member

@michaelficarra michaelficarra Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow, you're right. This relies upon w3c/webappsec-csp#363, which intentionally doesn't use frame-ancestors 'none' in a malformed policy. I'm fine with getting this in as-is, but we need to follow up with an implementation of w3c/webappsec-csp#363 and possibly further discussion about frame-ancestors.

@shekyan
Fixes #213
5f6b579 
and tests commutativity
@michaelficarra michaelficarra merged commit fdc4f7b into master Dec 22, 2018
@michaelficarra michaelficarra deleted the 213 branch December 22, 2018 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelficarra michaelficarra michaelficarra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shekyan @michaelficarra