Skip to content

Fixes #213 #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 22, 2018
Merged

Fixes #213 #214

merged 1 commit into from
Dec 22, 2018

Conversation

@shekyan
Copy link
Contributor

@shekyan shekyan commented Dec 18, 2018

and tests commutativity

@shekyan shekyan force-pushed the 213 branch 2 times, most recently from 3ade180 to 36b24e0 Compare December 18, 2018 22:50
michaelficarra
michaelficarra reviewed Dec 18, 2018
View reviewed changes
src/main/java/com/shapesecurity/salvation/data/Policy.java Outdated
other.optimise();
}

private static void checkForMergeValidity(@Nonnull Policy p) {
Copy link
Member

@michaelficarra michaelficarra Dec 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably turn this into an instance method now.

Copy link
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

michaelficarra
michaelficarra reviewed Dec 19, 2018
View reviewed changes
src/test/java/com/shapesecurity/salvation/PolicyMergeTest.java
q = parse("frame-ancestors 'self'");
p.union(q);
assertEquals("frame-ancestors 'self'", p.show());
assertEquals("", p.show());
Copy link
Member

@michaelficarra michaelficarra Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this one was correct before.

Copy link
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would think so too, but frame-ancestors 'none' 'none' contains invalid source-list thus invalidates the directive. Union merging empty policy with anything produces empty policy.

Copy link
Contributor Author

@shekyan shekyan Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the other hand, per https://w3c.github.io/webappsec-csp/#parse-serialized-policy step 7, invalid source-list produces an empty directive-value, which brings us to recent discussion. WDYT?

Copy link
Member

@michaelficarra michaelficarra Dec 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow, you're right. This relies upon w3c/webappsec-csp#363, which intentionally doesn't use frame-ancestors 'none' in a malformed policy. I'm fine with getting this in as-is, but we need to follow up with an implementation of w3c/webappsec-csp#363 and possibly further discussion about frame-ancestors.

@shekyan
Fixes #213
5f6b579 
and tests commutativity
@michaelficarra michaelficarra merged commit fdc4f7b into master Dec 22, 2018
@michaelficarra michaelficarra deleted the 213 branch December 22, 2018 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelficarra michaelficarra michaelficarra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shekyan @michaelficarra