QwikSec

Security Database

CVE

CWE

Training

CVE-2016-5137

Published: Jul 23, 2016

Modified: Aug 6, 2024

PUBLISHED

Description

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report. NOTE: this vulnerability is associated with a specification change after CVE-2016-1617 resolution.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://crbug.com/625945

x_refsource_CONFIRM

openSUSE-SU-2016:1868

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2016:1869

vendor-advisory

x_refsource_SUSE

vdb-entry

x_refsource_BID

http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

openSUSE-SU-2016:1918

vendor-advisory

x_refsource_SUSE

https://codereview.chromium.org/2125873003

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

openSUSE-SU-2016:1865

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_REDHAT

vdb-entry

x_refsource_SECTRACK

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.