Skip to site navigation (Press enter)

[webkit-changes] [100574] trunk

abarth Thu, 17 Nov 2011 00:25:49 -0800

Title: [100574] trunk

Revision: 100574
Author: [email protected]
Date: 2011-11-17 00:25:40 -0800 (Thu, 17 Nov 2011)

Log Message

CSP report-only mode doesn't work from an HTTP header
https://bugs.webkit.org/show_bug.cgi?id=71958


Reviewed by Eric Seidel.

Source/WebCore:

"It's tested or it's broken." -- Adam Leventhal

Test: http/tests/security/contentSecurityPolicy/report-only-from-header.php

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):

LayoutTests:

Test that X-WebKit-CSP-Report-Only actually sends reports.

* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-only-from-header.php: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/FrameLoader.cpp

Added Paths

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php

Diff

Modified: trunk/LayoutTests/ChangeLog (100573 => 100574)


--- trunk/LayoutTests/ChangeLog	2011-11-17 08:24:00 UTC (rev 100573)
+++ trunk/LayoutTests/ChangeLog	2011-11-17 08:25:40 UTC (rev 100574)
@@ -1,3 +1,15 @@
+2011-11-17  Adam Barth  <[email protected]>
+
+        CSP report-only mode doesn't work from an HTTP header
+        https://bugs.webkit.org/show_bug.cgi?id=71958
+
+        Reviewed by Eric Seidel.
+
+        Test that X-WebKit-CSP-Report-Only actually sends reports.
+
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/report-only-from-header.php: Added.
+
 2011-11-17  Mihnea Ovidenie  <[email protected]>
 
         CSS exclusions: parse the wrap-flow and wrap-through properties

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (0 => 100574)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2011-11-17 08:25:40 UTC (rev 100574)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because of Content-Security-Policy.
+
+ALERT: PASS
+CSP report received:
+CONTENT_TYPE: application/x-www-form-urlencoded
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
+REQUEST_METHOD: POST
+=== POST DATA =""
+document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
+violated-directive: script-src 'self'

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php (0 => 100574)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php	2011-11-17 08:25:40 UTC (rev 100574)
@@ -0,0 +1,8 @@
+<?php
+header("X-WebKit-CSP-Report-Only: script-src 'self'; report-uri resources/save-report.php");
+?>
+<script>
+// This script block will trigger a violation report but shouldn't be blocked.
+alert('PASS');
+</script>
+<script src=""

Modified: trunk/Source/WebCore/ChangeLog (100573 => 100574)


--- trunk/Source/WebCore/ChangeLog	2011-11-17 08:24:00 UTC (rev 100573)
+++ trunk/Source/WebCore/ChangeLog	2011-11-17 08:25:40 UTC (rev 100574)
@@ -1,3 +1,17 @@
+2011-11-17  Adam Barth  <[email protected]>
+
+        CSP report-only mode doesn't work from an HTTP header
+        https://bugs.webkit.org/show_bug.cgi?id=71958
+
+        Reviewed by Eric Seidel.
+
+        "It's tested or it's broken." -- Adam Leventhal
+
+        Test: http/tests/security/contentSecurityPolicy/report-only-from-header.php
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::didBeginDocument):
+
 2011-11-15  Pavel Feldman  <[email protected]>
 
         Web Inspector: introduce Debugger domain capabilities concept.

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (100573 => 100574)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2011-11-17 08:24:00 UTC (rev 100573)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2011-11-17 08:25:40 UTC (rev 100574)
@@ -647,7 +647,7 @@
             m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy);
 
         String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
-        if (!contentSecurityPolicy.isEmpty())
+        if (!reportOnlyContentSecurityPolicy.isEmpty())
             m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly);
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes