CVE-2016-1617

Priority
Description
The CSPSource::schemeMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy
(CSP) implementation in Blink, as used in Google Chrome before
48.0.2564.82, does not apply http policies to https URLs and does not apply
ws policies to wss URLs, which makes it easier for remote attackers to
determine whether a specific HSTS web site has been visited by reading a
CSP report.
Package
Upstream:released (48.0.2564.82)
Ubuntu 14.04 LTS (Trusty Tahr):released (48.0.2564.82-0ubuntu0.14.04.1.1108)
Ubuntu 16.04 LTS (Xenial Xerus):released (48.0.2564.82-0ubuntu1.1222)
Package
Upstream:released (1.12.5)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.12.5-0ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.12.5-0ubuntu1)
More Information

Updated: 2019-03-19 12:25:12 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)