Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2016-1617

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 48.0.2564.82, does not apply http policies to https URLs and does not apply ws policies to wss URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://googlechromerel...
CONFIRM: https://code.google.co...
CONFIRM: https://codereview.chr...
BID: 81430
GENTOO: GLSA-201603-09
REDHAT: RHSA-2016:0072
DEBIAN: DSA-3456
SUSE: openSUSE-SU-2016:0249
SUSE: openSUSE-SU-2016:0250
SUSE: openSUSE-SU-2016:0271
UBUNTU: USN-2877-1
SECTRACK: 1034801

Launchpad.net

CVE 2016-1617

Related bugs

References