[webkit-changes] [288678] trunk

Thu, 27 Jan 2022 10:14:36 -0800

Title: [288678] trunk
Revision
288678
Author
pgrif...@igalia.com
Date
2022-01-27 10:13:52 -0800 (Thu, 27 Jan 2022)

Log Message

CSP: Clean up effective-violation handling in reports
https://bugs.webkit.org/show_bug.cgi?id=235602

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Updated expectations with more passes.

* web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt:
* web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt:
* web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt:

Source/WebCore:

The CSP 3 spec uses the same value for effectiveDirective and
violatedDirective noting that is now now just an alias for historical
purposes. https://www.w3.org/TR/CSP3/#violation-events

I have refactored this so we only pass around a single string instead of constantly
repeating the directive which was error prone.

This does result in a lot of `script-src` changing to `script-src-elem` in reports
however this behavior matches what Chromium is already reporting and it fixes some
WPT results where it expects `frame-src` instead of `child-src`.

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::consoleMessageForViolation):
(WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
(WebCore::ContentSecurityPolicy::allowInlineScript const):
(WebCore::ContentSecurityPolicy::allowInlineStyle const):
(WebCore::ContentSecurityPolicy::allowEval const):
(WebCore::ContentSecurityPolicy::allowFrameAncestors const):
(WebCore::ContentSecurityPolicy::allowPluginType const):
(WebCore::ContentSecurityPolicy::allowObjectFromSource const):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
(WebCore::ContentSecurityPolicy::allowResourceFromSource const):
(WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
(WebCore::ContentSecurityPolicy::allowScriptFromSource const):
(WebCore::ContentSecurityPolicy::allowImageFromSource const):
(WebCore::ContentSecurityPolicy::allowStyleFromSource const):
(WebCore::ContentSecurityPolicy::allowFontFromSource const):
(WebCore::ContentSecurityPolicy::allowManifestFromSource const):
(WebCore::ContentSecurityPolicy::allowMediaFromSource const):
(WebCore::ContentSecurityPolicy::allowConnectToSource const):
(WebCore::ContentSecurityPolicy::allowFormAction const):
(WebCore::ContentSecurityPolicy::allowBaseURI const):
(WebCore::ContentSecurityPolicy::reportViolation const):
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):

LayoutTests:

Update effective-violation of expectations.

* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html:
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html:
* http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
* platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (288677 => 288678)


--- trunk/LayoutTests/ChangeLog	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/ChangeLog	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,41 @@
+2022-01-27  Patrick Griffis  <pgrif...@igalia.com>
+
+        CSP: Clean up effective-violation handling in reports
+        https://bugs.webkit.org/show_bug.cgi?id=235602
+
+        Reviewed by Kate Cheney.
+
+        Update effective-violation of expectations.
+
+        * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html:
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html:
+        * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+        * platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+
 2022-01-27  Tyler Wilcock  <tyle...@apple.com>
 
         AX ITM: Defer to the tree when determining AX object loading progress

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no _javascript_ alert.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no _javascript_ alert.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,7 +13,7 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
 
 --------
 Frame: 'enforced-1'
@@ -25,7 +25,7 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
 
 --------
 Frame: 'enforced-2'
@@ -37,4 +37,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -15,4 +15,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -15,4 +15,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the child-src directive.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
@@ -9,7 +9,7 @@
 PASS window.e.referrer is ""
 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
 PASS window.e.violatedDirective is "frame-src"
-PASS window.e.effectiveDirective is "child-src"
+PASS window.e.effectiveDirective is "frame-src"
 PASS window.e.originalPolicy is "child-src 'none'"
 PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html"
 PASS window.e.lineNumber is 27

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html	2022-01-27 18:13:52 UTC (rev 288678)
@@ -12,7 +12,7 @@
     "referrer": document.referrer,
     "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
     "violatedDirective": "frame-src",
-    "effectiveDirective": "child-src",
+    "effectiveDirective": "frame-src",
     "originalPolicy": "child-src 'none'",
     "sourceFile": document.location.toString(),
     "lineNumber": 27,

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
 Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the default-src directive.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
@@ -9,7 +9,7 @@
 PASS window.e.referrer is ""
 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
 PASS window.e.violatedDirective is "frame-src"
-PASS window.e.effectiveDirective is "child-src"
+PASS window.e.effectiveDirective is "frame-src"
 PASS window.e.originalPolicy is "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html"
 PASS window.e.lineNumber is 27

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html	2022-01-27 18:13:52 UTC (rev 288678)
@@ -12,7 +12,7 @@
     "referrer": document.referrer,
     "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
     "violatedDirective": "frame-src",
-    "effectiveDirective": "child-src",
+    "effectiveDirective": "frame-src",
     "originalPolicy": "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
     "sourceFile": document.location.toString(),
     "lineNumber": 27,

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
 
 
 --------

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
 
 
 --------

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 Tests that an <iframe> that loads a cross-origin page via a redirect is blocked by the Content Security Policy child-src directive. This test PASSED if there is a console warning message.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -8,4 +8,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -7,4 +7,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -7,4 +7,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -8,4 +8,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
 === POST DATA =""
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -11,4 +11,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (288677 => 288678)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (288677 => 288678)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,16 @@
+2022-01-27  Patrick Griffis  <pgrif...@igalia.com>
+
+        CSP: Clean up effective-violation handling in reports
+        https://bugs.webkit.org/show_bug.cgi?id=235602
+
+        Reviewed by Kate Cheney.
+
+        Updated expectations with more passes.
+
+        * web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt:
+        * web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt:
+        * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt:
+
 2022-01-27  Antti Koivisto  <an...@apple.com>
 
         [CSS Container Queries] Basic parsing support for query syntax

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt (288677 => 288678)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -5,6 +5,6 @@
 
 Harness Error (TIMEOUT), message = null
 
-FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"] assert_unreached: unexpected log: TEST COMPLETE Reached unreachable code
+PASS Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"]
 TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt (288677 => 288678)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -5,6 +5,6 @@
 
 Harness Error (TIMEOUT), message = null
 
-FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code
+PASS Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"]
 TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt (288677 => 288678)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -9,6 +9,6 @@
 PASS Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
 PASS Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.
 PASS Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
-FAIL Script injected via `innerHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
-FAIL Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
+PASS Script injected via `innerHTML` is not allowed with `strict-dynamic`.
+PASS Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.

Modified: trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (288677 => 288678)


--- trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

Modified: trunk/Source/WebCore/ChangeLog (288677 => 288678)


--- trunk/Source/WebCore/ChangeLog	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/ChangeLog	2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,50 @@
+2022-01-27  Patrick Griffis  <pgrif...@igalia.com>
+
+        CSP: Clean up effective-violation handling in reports
+        https://bugs.webkit.org/show_bug.cgi?id=235602
+
+        Reviewed by Kate Cheney.
+
+        The CSP 3 spec uses the same value for effectiveDirective and
+        violatedDirective noting that is now now just an alias for historical
+        purposes. https://www.w3.org/TR/CSP3/#violation-events
+
+        I have refactored this so we only pass around a single string instead of constantly
+        repeating the directive which was error prone.
+
+        This does result in a lot of `script-src` changing to `script-src-elem` in reports
+        however this behavior matches what Chromium is already reporting and it fixes some
+        WPT results where it expects `frame-src` instead of `child-src`.
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::consoleMessageForViolation):
+        (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent):
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+        (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+        (WebCore::ContentSecurityPolicy::allowInlineScript const):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle const):
+        (WebCore::ContentSecurityPolicy::allowEval const):
+        (WebCore::ContentSecurityPolicy::allowFrameAncestors const):
+        (WebCore::ContentSecurityPolicy::allowPluginType const):
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource const):
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
+        (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+        (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+        (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+        (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+        (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+        (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+        (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+        (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+        (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+        (WebCore::ContentSecurityPolicy::allowFormAction const):
+        (WebCore::ContentSecurityPolicy::allowBaseURI const):
+        (WebCore::ContentSecurityPolicy::reportViolation const):
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
+
 2022-01-27  Tyler Wilcock  <tyle...@apple.com>
 
         AXLogger::add should not cause tree updates via children()

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (288677 => 288678)


--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2022-01-27 18:13:52 UTC (rev 288678)
@@ -66,13 +66,20 @@
 namespace WebCore {
 using namespace Inspector;
 
-static String consoleMessageForViolation(const char* effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const char* prefix, const char* subject = "it")
+static String consoleMessageForViolation(const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const char* prefix, const char* subject = "it")
 {
+    bool isDefaultSrc = violatedDirective.isDefaultSrc();
+    String name = violatedDirective.nameForReporting();
+    if (violatedDirective.nameForReporting().startsWith(ContentSecurityPolicyDirectiveNames::scriptSrc))
+        name = ContentSecurityPolicyDirectiveNames::scriptSrc;
+    else if (violatedDirective.nameForReporting().startsWith(ContentSecurityPolicyDirectiveNames::styleSrc))
+        name = ContentSecurityPolicyDirectiveNames::styleSrc;
+
     return makeString(violatedDirective.directiveList().isReportOnly() ? "[Report Only] " : "",
         prefix, blockedURL.isEmpty() ? "" : " ", blockedURL.stringCenterEllipsizedToLength(), " because ", subject,
-        violatedDirective.isDefaultSrc() ? " appears in neither the " : " does not appear in the ",
-        effectiveViolatedDirective,
-        violatedDirective.isDefaultSrc() ? " directive nor the default-src directive of the Content Security Policy." : " directive of the Content Security Policy.");
+        isDefaultSrc ? " appears in neither the " : " does not appear in the ",
+        name,
+        isDefaultSrc ? " directive nor the default-src directive of the Content Security Policy." : " directive of the Content Security Policy.");
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy(URL&& protectedURL, ContentSecurityPolicyClient* client)
@@ -129,8 +136,7 @@
         bool isReportOnly = policy->isReportOnly();
         auto message = makeString(isReportOnly ? "[Report Only] " : "", "Blocked mixed content ",
             url.stringCenterEllipsizedToLength(), " because 'block-all-mixed-content' appears in the Content Security Policy.");
-        reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent,
-            ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url.string(), message);
+        reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url.string(), message);
         if (!isReportOnly)
             allow = false;
     }
@@ -369,9 +375,8 @@
         return true;
     bool didNotifyInspector = false;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
-        // FIXME (rdar://83332874) implement scriptSrcElem properly.
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
+        String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
+        reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
         if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
             didNotifyInspector = true;
@@ -388,8 +393,8 @@
         return true;
     bool didNotifyInspector = false;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
+        reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
             didNotifyInspector = true;
@@ -441,8 +446,8 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         TextPosition sourcePosition(contextLine, OrdinalNumber());
         const char* message = sourceURL.isEmpty() ? "Refused to execute a script" : "Refused to load";
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, sourceURL, message);
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, sourceURL.string(), consoleMessage, contextURL.string(), scriptContent, sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, sourceURL, message);
+        reportViolation(violatedDirective, sourceURL.string(), consoleMessage, contextURL.string(), scriptContent, sourcePosition);
     };
 
     auto contentHashes = generateHashesForContent(scriptContent, m_hashAlgorithmsForInlineScripts);
@@ -456,8 +461,8 @@
         return true;
     bool didNotifyInspector = false;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, scriptContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+        reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, scriptContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
             didNotifyInspector = true;
@@ -476,9 +481,8 @@
     if (m_overrideInlineStyleAllowed)
         return true;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        auto name = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? ContentSecurityPolicyDirectiveNames::styleSrcAttr : ContentSecurityPolicyDirectiveNames::styleSrcElem;
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, styleContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
+        reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, styleContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
     };
 
     auto contentHashes = generateHashesForContent(styleContent, m_hashAlgorithmsForInlineStylesheets);
@@ -496,8 +500,8 @@
         return true;
     bool didNotifyInspector = false;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = shouldLogToConsole == LogToConsole::Yes ? consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "eval", consoleMessage, state, codeContent);
+        String consoleMessage = shouldLogToConsole == LogToConsole::Yes ? consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
+        reportViolation(violatedDirective, "eval", consoleMessage, state, codeContent);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
             didNotifyInspector = true;
@@ -516,8 +520,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor, frame);
 }
@@ -544,8 +548,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestorOrigins, ancestorOrigins);
 }
@@ -557,8 +561,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url, "Refused to load", "its MIME type");
-        reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load", "its MIME type");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType, type, typeAttribute);
 }
@@ -573,8 +577,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
 }
@@ -586,14 +590,13 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        const char* effectiveViolatedDirective = violatedDirective.name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
-        String consoleMessage = consoleMessageForViolation(effectiveViolatedDirective, violatedDirective, url, "Refused to load");
-        reportViolation(effectiveViolatedDirective, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
 }
 
-bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
+bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
 {
     if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
         return true;
@@ -601,8 +604,8 @@
     const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(name, violatedDirective, blockedURL, "Refused to load");
-        reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+        reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
 }
@@ -609,7 +612,7 @@
 
 bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
 }
 
 bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& subResourceIntegrity, const String& nonce) const
@@ -623,8 +626,8 @@
     const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+        reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
 
     auto subResourceIntegrityDigests = parseSubResourceIntegrityIntoDigests(subResourceIntegrity);
@@ -634,7 +637,7 @@
 
 bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::imgSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, preRedirectURL);
 }
 
 bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& nonce) const
@@ -645,8 +648,8 @@
     const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+        reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
 
     String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
@@ -655,19 +658,19 @@
 
 bool ContentSecurityPolicy::allowFontFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::fontSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, preRedirectURL);
 }
 
 #if ENABLE(APPLICATION_MANIFEST)
 bool ContentSecurityPolicy::allowManifestFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::manifestSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest, preRedirectURL);
 }
 #endif // ENABLE(APPLICATION_MANIFEST)
 
 bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, preRedirectURL);
 }
 
 bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
@@ -677,8 +680,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
-        reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition, preRedirectURL);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to connect to");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition, preRedirectURL);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
 }
@@ -685,7 +688,7 @@
 
 bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
 {
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
+    return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
 }
 
 bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
@@ -697,8 +700,8 @@
     String sourceURL;
     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url, "Refused to change the document base URL to");
-        reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+        String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to change the document base URL to");
+        reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
 }
@@ -728,24 +731,24 @@
     return SecurityOrigin::create(url)->toString();
 }
 
-void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state, StringView sourceContent) const
+void ContentSecurityPolicy::reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state, StringView sourceContent) const
 {
     // FIXME: Extract source file, and position from JSC::ExecState.
-    return reportViolation(violatedDirective, effectiveViolatedDirective.nameForReporting().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), sourceContent, TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+    return reportViolation(violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, String(), sourceContent, TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
 }
 
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
 {
     // FIXME: Extract source file, content, and position from JSC::ExecState.
-    return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+    return reportViolation(violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
 }
 
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
+void ContentSecurityPolicy::reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
 {
-    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourceContent, sourcePosition, state, preRedirectURL, element);
+    return reportViolation(violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourceContent, sourcePosition, state, preRedirectURL, element);
 }
 
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
 {
     logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
 
@@ -760,13 +763,13 @@
         blockedURI = blockedURLString;
     else {
         // If there is a redirect then we use the pre-redirect URL: https://www.w3.org/TR/CSP3/#security-violation-reports.
-        blockedURI = createURLForReporting(preRedirectURL.isNull() ? URL(URL(), blockedURLString) : preRedirectURL, violatedDirective);
+        blockedURI = createURLForReporting(preRedirectURL.isNull() ? URL(URL(), blockedURLString) : preRedirectURL, effectiveViolatedDirective);
     }
 
     info.documentURI = m_documentURL ? m_documentURL.value().strippedForUseAsReferrer() : blockedURI;
     info.lineNumber = sourcePosition.m_line.oneBasedInt();
     info.columnNumber = sourcePosition.m_column.oneBasedInt();
-    info.sample = violatedDirectiveList.shouldReportSample(violatedDirective) ? sourceContent.left(40).toString() : emptyString();
+    info.sample = violatedDirectiveList.shouldReportSample(effectiveViolatedDirective) ? sourceContent.left(40).toString() : emptyString();
 
     if (m_client)
         m_client->willSendCSPViolationReport(info);
@@ -784,7 +787,7 @@
         auto stack = createScriptCallStack(JSExecState::currentState(), 2);
         auto* callFrame = stack->firstNonNativeCallFrame();
         if (callFrame && callFrame->lineNumber()) {
-            info.sourceFile = createURLForReporting(URL { URL { }, callFrame->sourceURL() }, violatedDirective);
+            info.sourceFile = createURLForReporting(URL { URL { }, callFrame->sourceURL() }, effectiveViolatedDirective);
             info.lineNumber = callFrame->lineNumber();
             info.columnNumber = callFrame->columnNumber();
         }
@@ -799,7 +802,7 @@
     violationEventInit.documentURI = info.documentURI;
     violationEventInit.referrer = m_referrer;
     violationEventInit.blockedURI = blockedURI;
-    violationEventInit.violatedDirective = violatedDirective;
+    violationEventInit.violatedDirective = effectiveViolatedDirective; // Historical alias to effectiveDirective: https://www.w3.org/TR/CSP3/#violation-events.
     violationEventInit.effectiveDirective = effectiveViolatedDirective;
     violationEventInit.originalPolicy = violatedDirectiveList.header();
     violationEventInit.sourceFile = info.sourceFile;
@@ -837,7 +840,7 @@
     auto cspReport = JSON::Object::create();
     cspReport->setString("document-uri"_s, info.documentURI);
     cspReport->setString("referrer"_s, m_referrer);
-    cspReport->setString("violated-directive"_s, violatedDirective);
+    cspReport->setString("violated-directive"_s, effectiveViolatedDirective);
     cspReport->setString("effective-directive"_s, effectiveViolatedDirective);
     cspReport->setString("original-policy"_s, violatedDirectiveList.header());
     cspReport->setString("blocked-uri"_s, blockedURI);

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (288677 => 288678)


--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h	2022-01-27 18:13:52 UTC (rev 288678)
@@ -217,12 +217,12 @@
     bool shouldPerformEarlyCSPCheck() const;
     
     using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
-    bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate, const URL& preRedirectURL = URL()) const;
+    bool allowResourceFromSource(const URL&, RedirectResponseReceived, ResourcePredicate, const URL& preRedirectURL = URL()) const;
 
-    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*, StringView sourceContent) const;
-    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
+    void reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*, StringView sourceContent) const;
+    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
+    void reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
+    void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
 
     // We can never have both a script execution context and a ContentSecurityPolicyClient.

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (288677 => 288678)


--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2022-01-27 18:13:52 UTC (rev 288678)
@@ -220,7 +220,7 @@
 
 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes, const URL& url, ParserInserted parserInserted) const
 {
-    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
+    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
     if (checkHashes(operativeDirective, hashes)
         || checkNonParserInsertedScripts(operativeDirective, parserInserted)
         || checkNonce(operativeDirective, nonce)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to