Log Message
CSP: Clean up effective-violation handling in reports https://bugs.webkit.org/show_bug.cgi?id=235602
Reviewed by Kate Cheney. LayoutTests/imported/w3c: Updated expectations with more passes. * web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt: * web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt: * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt: Source/WebCore: The CSP 3 spec uses the same value for effectiveDirective and violatedDirective noting that is now now just an alias for historical purposes. https://www.w3.org/TR/CSP3/#violation-events I have refactored this so we only pass around a single string instead of constantly repeating the directive which was error prone. This does result in a lot of `script-src` changing to `script-src-elem` in reports however this behavior matches what Chromium is already reporting and it fixes some WPT results where it expects `frame-src` instead of `child-src`. * page/csp/ContentSecurityPolicy.cpp: (WebCore::consoleMessageForViolation): (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const): (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const): (WebCore::ContentSecurityPolicy::allowInlineScript const): (WebCore::ContentSecurityPolicy::allowInlineStyle const): (WebCore::ContentSecurityPolicy::allowEval const): (WebCore::ContentSecurityPolicy::allowFrameAncestors const): (WebCore::ContentSecurityPolicy::allowPluginType const): (WebCore::ContentSecurityPolicy::allowObjectFromSource const): (WebCore::ContentSecurityPolicy::allowChildFrameFromSource const): (WebCore::ContentSecurityPolicy::allowResourceFromSource const): (WebCore::ContentSecurityPolicy::allowChildContextFromSource const): (WebCore::ContentSecurityPolicy::allowScriptFromSource const): (WebCore::ContentSecurityPolicy::allowImageFromSource const): (WebCore::ContentSecurityPolicy::allowStyleFromSource const): (WebCore::ContentSecurityPolicy::allowFontFromSource const): (WebCore::ContentSecurityPolicy::allowManifestFromSource const): (WebCore::ContentSecurityPolicy::allowMediaFromSource const): (WebCore::ContentSecurityPolicy::allowConnectToSource const): (WebCore::ContentSecurityPolicy::allowFormAction const): (WebCore::ContentSecurityPolicy::allowBaseURI const): (WebCore::ContentSecurityPolicy::reportViolation const): * page/csp/ContentSecurityPolicy.h: * page/csp/ContentSecurityPolicyDirectiveList.cpp: (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const): LayoutTests: Update effective-violation of expectations. * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html: * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt: * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html: * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt: * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: * http/tests/security/contentSecurityPolicy/report-only-expected.txt: * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt: * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt: * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt: * platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
Modified Paths
- trunk/LayoutTests/ChangeLog
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
- trunk/LayoutTests/imported/w3c/ChangeLog
- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt
- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt
- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt
- trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
- trunk/Source/WebCore/ChangeLog
- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Diff
Modified: trunk/LayoutTests/ChangeLog (288677 => 288678)
--- trunk/LayoutTests/ChangeLog 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/ChangeLog 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,41 @@
+2022-01-27 Patrick Griffis <pgrif...@igalia.com>
+
+ CSP: Clean up effective-violation handling in reports
+ https://bugs.webkit.org/show_bug.cgi?id=235602
+
+ Reviewed by Kate Cheney.
+
+ Update effective-violation of expectations.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html:
+ * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html:
+ * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt:
+ * http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+
2022-01-27 Tyler Wilcock <tyle...@apple.com>
AX ITM: Defer to the tree when determining AX object loading progress
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no _javascript_ alert.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no _javascript_ alert.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,7 +13,7 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
--------
Frame: 'enforced-1'
@@ -25,7 +25,7 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
--------
Frame: 'enforced-2'
@@ -37,4 +37,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -15,4 +15,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -15,4 +15,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the child-src directive.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
@@ -9,7 +9,7 @@
PASS window.e.referrer is ""
PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
PASS window.e.violatedDirective is "frame-src"
-PASS window.e.effectiveDirective is "child-src"
+PASS window.e.effectiveDirective is "frame-src"
PASS window.e.originalPolicy is "child-src 'none'"
PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html"
PASS window.e.lineNumber is 27
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html 2022-01-27 18:13:52 UTC (rev 288678)
@@ -12,7 +12,7 @@
"referrer": document.referrer,
"blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
"violatedDirective": "frame-src",
- "effectiveDirective": "child-src",
+ "effectiveDirective": "frame-src",
"originalPolicy": "child-src 'none'",
"sourceFile": document.location.toString(),
"lineNumber": 27,
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the default-src directive.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
@@ -9,7 +9,7 @@
PASS window.e.referrer is ""
PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
PASS window.e.violatedDirective is "frame-src"
-PASS window.e.effectiveDirective is "child-src"
+PASS window.e.effectiveDirective is "frame-src"
PASS window.e.originalPolicy is "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html"
PASS window.e.lineNumber is 27
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html 2022-01-27 18:13:52 UTC (rev 288678)
@@ -12,7 +12,7 @@
"referrer": document.referrer,
"blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
"violatedDirective": "frame-src",
- "effectiveDirective": "child-src",
+ "effectiveDirective": "frame-src",
"originalPolicy": "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
"sourceFile": document.location.toString(),
"lineNumber": 27,
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
--------
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blocked-when-loaded-via-_javascript_-url2-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy.
--------
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
Tests that an <iframe> that loads a cross-origin page via a redirect is blocked by the Content Security Policy child-src directive. This test PASSED if there is a console warning message.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -8,4 +8,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -7,4 +7,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -7,4 +7,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -8,4 +8,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
=== POST DATA =""
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -11,4 +11,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (288677 => 288678)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (288677 => 288678)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,16 @@
+2022-01-27 Patrick Griffis <pgrif...@igalia.com>
+
+ CSP: Clean up effective-violation handling in reports
+ https://bugs.webkit.org/show_bug.cgi?id=235602
+
+ Reviewed by Kate Cheney.
+
+ Updated expectations with more passes.
+
+ * web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt:
+ * web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt:
+ * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt:
+
2022-01-27 Antti Koivisto <an...@apple.com>
[CSS Container Queries] Basic parsing support for query syntax
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt (288677 => 288678)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-cross-origin-load.sub-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -5,6 +5,6 @@
Harness Error (TIMEOUT), message = null
-FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"] assert_unreached: unexpected log: TEST COMPLETE Reached unreachable code
+PASS Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.", "violated-directive=frame-src"]
TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt (288677 => 288678)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -5,6 +5,6 @@
Harness Error (TIMEOUT), message = null
-FAIL Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"] assert_unreached: Logging timeout, expected logs violated-directive=frame-src not sent. Reached unreachable code
+PASS Expecting logs: ["PASS IFrame #1 generated a load event.","PASS IFrame #2 generated a load event.","PASS IFrame #3 generated a load event.","violated-directive=frame-src"]
TIMEOUT Expecting alerts: ["PASS","PASS"] Test timed out
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt (288677 => 288678)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -9,6 +9,6 @@
PASS Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
PASS Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.
PASS Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
-FAIL Script injected via `innerHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
-FAIL Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
+PASS Script injected via `innerHTML` is not allowed with `strict-dynamic`.
+PASS Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.
Modified: trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (288677 => 288678)
--- trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/LayoutTests/platform/glib/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2022-01-27 18:13:52 UTC (rev 288678)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/Source/WebCore/ChangeLog (288677 => 288678)
--- trunk/Source/WebCore/ChangeLog 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/ChangeLog 2022-01-27 18:13:52 UTC (rev 288678)
@@ -1,3 +1,50 @@
+2022-01-27 Patrick Griffis <pgrif...@igalia.com>
+
+ CSP: Clean up effective-violation handling in reports
+ https://bugs.webkit.org/show_bug.cgi?id=235602
+
+ Reviewed by Kate Cheney.
+
+ The CSP 3 spec uses the same value for effectiveDirective and
+ violatedDirective noting that is now now just an alias for historical
+ purposes. https://www.w3.org/TR/CSP3/#violation-events
+
+ I have refactored this so we only pass around a single string instead of constantly
+ repeating the directive which was error prone.
+
+ This does result in a lot of `script-src` changing to `script-src-elem` in reports
+ however this behavior matches what Chromium is already reporting and it fixes some
+ WPT results where it expects `frame-src` instead of `child-src`.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::consoleMessageForViolation):
+ (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent):
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+ (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+ (WebCore::ContentSecurityPolicy::allowInlineScript const):
+ (WebCore::ContentSecurityPolicy::allowInlineStyle const):
+ (WebCore::ContentSecurityPolicy::allowEval const):
+ (WebCore::ContentSecurityPolicy::allowFrameAncestors const):
+ (WebCore::ContentSecurityPolicy::allowPluginType const):
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource const):
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
+ (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::allowFormAction const):
+ (WebCore::ContentSecurityPolicy::allowBaseURI const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
+
2022-01-27 Tyler Wilcock <tyle...@apple.com>
AXLogger::add should not cause tree updates via children()
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (288677 => 288678)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-27 18:13:52 UTC (rev 288678)
@@ -66,13 +66,20 @@
namespace WebCore {
using namespace Inspector;
-static String consoleMessageForViolation(const char* effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const char* prefix, const char* subject = "it")
+static String consoleMessageForViolation(const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const char* prefix, const char* subject = "it")
{
+ bool isDefaultSrc = violatedDirective.isDefaultSrc();
+ String name = violatedDirective.nameForReporting();
+ if (violatedDirective.nameForReporting().startsWith(ContentSecurityPolicyDirectiveNames::scriptSrc))
+ name = ContentSecurityPolicyDirectiveNames::scriptSrc;
+ else if (violatedDirective.nameForReporting().startsWith(ContentSecurityPolicyDirectiveNames::styleSrc))
+ name = ContentSecurityPolicyDirectiveNames::styleSrc;
+
return makeString(violatedDirective.directiveList().isReportOnly() ? "[Report Only] " : "",
prefix, blockedURL.isEmpty() ? "" : " ", blockedURL.stringCenterEllipsizedToLength(), " because ", subject,
- violatedDirective.isDefaultSrc() ? " appears in neither the " : " does not appear in the ",
- effectiveViolatedDirective,
- violatedDirective.isDefaultSrc() ? " directive nor the default-src directive of the Content Security Policy." : " directive of the Content Security Policy.");
+ isDefaultSrc ? " appears in neither the " : " does not appear in the ",
+ name,
+ isDefaultSrc ? " directive nor the default-src directive of the Content Security Policy." : " directive of the Content Security Policy.");
}
ContentSecurityPolicy::ContentSecurityPolicy(URL&& protectedURL, ContentSecurityPolicyClient* client)
@@ -129,8 +136,7 @@
bool isReportOnly = policy->isReportOnly();
auto message = makeString(isReportOnly ? "[Report Only] " : "", "Blocked mixed content ",
url.stringCenterEllipsizedToLength(), " because 'block-all-mixed-content' appears in the Content Security Policy.");
- reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent,
- ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url.string(), message);
+ reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url.string(), message);
if (!isReportOnly)
allow = false;
}
@@ -369,9 +375,8 @@
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
- // FIXME (rdar://83332874) implement scriptSrcElem properly.
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
+ String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
+ reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -388,8 +393,8 @@
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
+ reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -441,8 +446,8 @@
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
TextPosition sourcePosition(contextLine, OrdinalNumber());
const char* message = sourceURL.isEmpty() ? "Refused to execute a script" : "Refused to load";
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, sourceURL, message);
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, sourceURL.string(), consoleMessage, contextURL.string(), scriptContent, sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, sourceURL, message);
+ reportViolation(violatedDirective, sourceURL.string(), consoleMessage, contextURL.string(), scriptContent, sourcePosition);
};
auto contentHashes = generateHashesForContent(scriptContent, m_hashAlgorithmsForInlineScripts);
@@ -456,8 +461,8 @@
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, scriptContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, scriptContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -476,9 +481,8 @@
if (m_overrideInlineStyleAllowed)
return true;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- auto name = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? ContentSecurityPolicyDirectiveNames::styleSrcAttr : ContentSecurityPolicyDirectiveNames::styleSrcElem;
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
- reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, styleContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
+ reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, styleContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
};
auto contentHashes = generateHashesForContent(styleContent, m_hashAlgorithmsForInlineStylesheets);
@@ -496,8 +500,8 @@
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = shouldLogToConsole == LogToConsole::Yes ? consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "eval", consoleMessage, state, codeContent);
+ String consoleMessage = shouldLogToConsole == LogToConsole::Yes ? consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
+ reportViolation(violatedDirective, "eval", consoleMessage, state, codeContent);
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -516,8 +520,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor, frame);
}
@@ -544,8 +548,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestorOrigins, ancestorOrigins);
}
@@ -557,8 +561,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url, "Refused to load", "its MIME type");
- reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load", "its MIME type");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType, type, typeAttribute);
}
@@ -573,8 +577,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
}
@@ -586,14 +590,13 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- const char* effectiveViolatedDirective = violatedDirective.name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
- String consoleMessage = consoleMessageForViolation(effectiveViolatedDirective, violatedDirective, url, "Refused to load");
- reportViolation(effectiveViolatedDirective, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
+bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
{
if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
return true;
@@ -601,8 +604,8 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(name, violatedDirective, blockedURL, "Refused to load");
- reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -609,7 +612,7 @@
bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
}
bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& subResourceIntegrity, const String& nonce) const
@@ -623,8 +626,8 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
auto subResourceIntegrityDigests = parseSubResourceIntegrityIntoDigests(subResourceIntegrity);
@@ -634,7 +637,7 @@
bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::imgSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, preRedirectURL);
}
bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& nonce) const
@@ -645,8 +648,8 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
@@ -655,19 +658,19 @@
bool ContentSecurityPolicy::allowFontFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::fontSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, preRedirectURL);
}
#if ENABLE(APPLICATION_MANIFEST)
bool ContentSecurityPolicy::allowManifestFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::manifestSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest, preRedirectURL);
}
#endif // ENABLE(APPLICATION_MANIFEST)
bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, preRedirectURL);
}
bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
@@ -677,8 +680,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
- reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition, preRedirectURL);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to connect to");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition, preRedirectURL);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -685,7 +688,7 @@
bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
+ return allowResourceFromSource(url, redirectResponseReceived, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
}
bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
@@ -697,8 +700,8 @@
String sourceURL;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url, "Refused to change the document base URL to");
- reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to change the document base URL to");
+ reportViolation(violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
}
@@ -728,24 +731,24 @@
return SecurityOrigin::create(url)->toString();
}
-void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state, StringView sourceContent) const
+void ContentSecurityPolicy::reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state, StringView sourceContent) const
{
// FIXME: Extract source file, and position from JSC::ExecState.
- return reportViolation(violatedDirective, effectiveViolatedDirective.nameForReporting().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), sourceContent, TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+ return reportViolation(violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, String(), sourceContent, TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
{
// FIXME: Extract source file, content, and position from JSC::ExecState.
- return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+ return reportViolation(violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
+void ContentSecurityPolicy::reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourceContent, sourcePosition, state, preRedirectURL, element);
+ return reportViolation(violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourceContent, sourcePosition, state, preRedirectURL, element);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
{
logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -760,13 +763,13 @@
blockedURI = blockedURLString;
else {
// If there is a redirect then we use the pre-redirect URL: https://www.w3.org/TR/CSP3/#security-violation-reports.
- blockedURI = createURLForReporting(preRedirectURL.isNull() ? URL(URL(), blockedURLString) : preRedirectURL, violatedDirective);
+ blockedURI = createURLForReporting(preRedirectURL.isNull() ? URL(URL(), blockedURLString) : preRedirectURL, effectiveViolatedDirective);
}
info.documentURI = m_documentURL ? m_documentURL.value().strippedForUseAsReferrer() : blockedURI;
info.lineNumber = sourcePosition.m_line.oneBasedInt();
info.columnNumber = sourcePosition.m_column.oneBasedInt();
- info.sample = violatedDirectiveList.shouldReportSample(violatedDirective) ? sourceContent.left(40).toString() : emptyString();
+ info.sample = violatedDirectiveList.shouldReportSample(effectiveViolatedDirective) ? sourceContent.left(40).toString() : emptyString();
if (m_client)
m_client->willSendCSPViolationReport(info);
@@ -784,7 +787,7 @@
auto stack = createScriptCallStack(JSExecState::currentState(), 2);
auto* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
- info.sourceFile = createURLForReporting(URL { URL { }, callFrame->sourceURL() }, violatedDirective);
+ info.sourceFile = createURLForReporting(URL { URL { }, callFrame->sourceURL() }, effectiveViolatedDirective);
info.lineNumber = callFrame->lineNumber();
info.columnNumber = callFrame->columnNumber();
}
@@ -799,7 +802,7 @@
violationEventInit.documentURI = info.documentURI;
violationEventInit.referrer = m_referrer;
violationEventInit.blockedURI = blockedURI;
- violationEventInit.violatedDirective = violatedDirective;
+ violationEventInit.violatedDirective = effectiveViolatedDirective; // Historical alias to effectiveDirective: https://www.w3.org/TR/CSP3/#violation-events.
violationEventInit.effectiveDirective = effectiveViolatedDirective;
violationEventInit.originalPolicy = violatedDirectiveList.header();
violationEventInit.sourceFile = info.sourceFile;
@@ -837,7 +840,7 @@
auto cspReport = JSON::Object::create();
cspReport->setString("document-uri"_s, info.documentURI);
cspReport->setString("referrer"_s, m_referrer);
- cspReport->setString("violated-directive"_s, violatedDirective);
+ cspReport->setString("violated-directive"_s, effectiveViolatedDirective);
cspReport->setString("effective-directive"_s, effectiveViolatedDirective);
cspReport->setString("original-policy"_s, violatedDirectiveList.header());
cspReport->setString("blocked-uri"_s, blockedURI);
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (288677 => 288678)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-27 18:13:52 UTC (rev 288678)
@@ -217,12 +217,12 @@
bool shouldPerformEarlyCSPCheck() const;
using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
- bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate, const URL& preRedirectURL = URL()) const;
+ bool allowResourceFromSource(const URL&, RedirectResponseReceived, ResourcePredicate, const URL& preRedirectURL = URL()) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*, StringView sourceContent) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
+ void reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*, StringView sourceContent) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
+ void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
// We can never have both a script execution context and a ContentSecurityPolicyClient.
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (288677 => 288678)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2022-01-27 18:04:31 UTC (rev 288677)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2022-01-27 18:13:52 UTC (rev 288678)
@@ -220,7 +220,7 @@
const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes, const URL& url, ParserInserted parserInserted) const
{
- auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
+ auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
if (checkHashes(operativeDirective, hashes)
|| checkNonParserInsertedScripts(operativeDirective, parserInserted)
|| checkNonce(operativeDirective, nonce)
_______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes