Diff
Modified: trunk/LayoutTests/ChangeLog (206277 => 206278)
--- trunk/LayoutTests/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/ChangeLog 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,5 +1,68 @@
2016-09-22 Daniel Bates <daba...@apple.com>
+ [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+ https://bugs.webkit.org/show_bug.cgi?id=162079
+ <rdar://problem/28321575>
+
+ Reviewed by Andy Estes.
+
+ Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
+ to validate that the CSP violation report was sent to the appropriate host. Update test expectations.
+
+ Note that the presence of "localhost" in the HTTP Host header in the test results for tests
+ security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
+ security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
+ verify that we resolve a relative URL CSP report URI with respect to the blocked URL.
+
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+ * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+
+2016-09-22 Daniel Bates <daba...@apple.com>
+
[XSS Auditor] HTML5 entities can bypass XSS Auditor
https://bugs.webkit.org/show_bug.cgi?id=161939
<rdar://problem/25819815>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8000
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancesto
rs-cross-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","statu
s-code":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8443
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ances
tors-cross-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","sta
tus-code":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 2016-09-22 21:39:29 UTC (rev 206278)
@@ -11,10 +11,10 @@
function navigateToReport()
{
- window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+ window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
}
</script>
</head>
-<iframe src="" _onload_="navigateToReport()"></iframe>
+<iframe src="" _onload_="navigateToReport()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 2016-09-22 21:39:29 UTC (rev 206278)
@@ -11,10 +11,10 @@
function navigateToReport()
{
- window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+ window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
}
</script>
</head>
-<iframe src="" _onload_="navigateToReport()"></iframe>
+<iframe src="" _onload_="navigateToReport()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors
-same-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-c
ode":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancesto
rs-same-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status
-code":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 2016-09-22 21:39:29 UTC (rev 206278)
@@ -15,6 +15,6 @@
}
</script>
</head>
-<iframe src="" _onload_="navigateToReport()"></iframe>
+<iframe src="" _onload_="navigateToReport()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 2016-09-22 21:39:29 UTC (rev 206278)
@@ -15,6 +15,6 @@
}
</script>
</head>
-<iframe src="" _onload_="navigateToReport()"></iframe>
+<iframe src="" _onload_="navigateToReport()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: line 4: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
REQUEST_METHOD: POST
=== POST DATA =""
@@ -18,6 +19,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
REQUEST_METHOD: POST
=== POST DATA =""
@@ -28,6 +30,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -10,6 +10,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -10,6 +10,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -9,6 +9,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -9,6 +9,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -11,6 +11,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -11,6 +11,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -9,6 +9,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -9,6 +9,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -3,6 +3,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: Refused to load data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: Refused to load compass.jpg because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8080/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8080
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,5 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8080
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,5 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8080
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -2,6 +2,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -2,6 +2,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -3,6 +3,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,5 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -2,6 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_COOKIE: hello=world
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_COOKIE: hello=world
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -6,6 +6,7 @@
--------
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CSP report received:
CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8080
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-09-22 21:39:29 UTC (rev 206278)
@@ -11,7 +11,7 @@
$httpHeaders = $_SERVER;
ksort($httpHeaders, SORT_STRING);
foreach ($httpHeaders as $name => $value) {
- if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
+ if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") {
$value = undoMagicQuotes($value);
fwrite($reportFile, "$name: $value\n");
}
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
CSP report received:
CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt (206277 => 206278)
--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
@@ -8,6 +8,7 @@
--------
CSP report received:
CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
=== POST DATA =""
Modified: trunk/Source/WebCore/ChangeLog (206277 => 206278)
--- trunk/Source/WebCore/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 21:39:29 UTC (rev 206278)
@@ -1,5 +1,23 @@
2016-09-22 Daniel Bates <daba...@apple.com>
+ [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+ https://bugs.webkit.org/show_bug.cgi?id=162079
+ <rdar://problem/28321575>
+
+ Reviewed by Andy Estes.
+
+ Fixes an issue where a CSP violation report may be sent to the wrong domain when the
+ frame-ancestors directive is violated. In particular, when the frame-ancestors directive
+ is violated for a page that specifies a report URI that is a relative URL then the
+ report URI would be resolved with respect to the parent frame's document URL and hence
+ be sent to the domain of the parent frame's document.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
+ to the blocked URL when we do not have a script execution context.
+
+2016-09-22 Daniel Bates <daba...@apple.com>
+
[XSS Auditor] HTML5 entities can bypass XSS Auditor
https://bugs.webkit.org/show_bug.cgi?id=161939
<rdar://problem/25819815>
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (206277 => 206278)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 21:39:29 UTC (rev 206278)
@@ -658,7 +658,7 @@
RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
for (const auto& url : reportURIs)
- PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
+ PingLoader::sendViolationReport(*frame, is<Document>(m_scriptExecutionContext) ? document.completeURL(url) : document.completeURL(url, blockedURL), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
}
void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const