Diff
Modified: trunk/LayoutTests/ChangeLog (116267 => 116268)
--- trunk/LayoutTests/ChangeLog 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/ChangeLog 2012-05-07 04:34:30 UTC (rev 116268)
@@ -1,3 +1,19 @@
+2012-05-06 Adam Barth <aba...@webkit.org>
+
+ Content Security Policy reports should be reported with content-type application/json, should contain all required fields
+ https://bugs.webkit.org/show_bug.cgi?id=61360
+
+ Reviewed by Eric Seidel.
+
+ Update results to show JSON format.
+
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+
2012-05-06 Kenichi Ishibashi <ba...@chromium.org>
Disallow unquoted -webkit-font-feature-settings tags
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2012-05-07 04:34:30 UTC (rev 116268)
@@ -4,9 +4,8 @@
CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
REQUEST_METHOD: POST
=== POST DATA =""
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","violated-directive":"script-src 'self'"}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2012-05-07 04:34:30 UTC (rev 116268)
@@ -2,9 +2,8 @@
ALERT: PASS
CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
REQUEST_METHOD: POST
=== POST DATA =""
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","violated-directive":"script-src 'self'"}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2012-05-07 04:34:30 UTC (rev 116268)
@@ -2,9 +2,8 @@
ALERT: PASS
CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
REQUEST_METHOD: POST
=== POST DATA =""
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","violated-directive":"script-src 'self'"}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2012-05-07 04:34:30 UTC (rev 116268)
@@ -1,9 +1,8 @@
CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
REQUEST_METHOD: POST
=== POST DATA =""
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","violated-directive":"script-src 'self'"}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2012-05-07 04:34:30 UTC (rev 116268)
@@ -6,9 +6,8 @@
Frame: '<!--framePath //<!--frame0-->-->'
--------
CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html
REQUEST_METHOD: POST
=== POST DATA =""
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","violated-directive":"script-src 'self'"}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (116267 => 116268)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2012-05-07 04:34:30 UTC (rev 116268)
@@ -15,11 +15,7 @@
}
}
fwrite($reportFile, "=== POST DATA =""
-foreach ($_POST as $name => $value) {
- $name = undoMagicQuotes($name);
- $value = undoMagicQuotes($value);
- fwrite($reportFile, "$name: $value\n");
-}
+fwrite($reportFile, file_get_contents("php://input"));
fclose($reportFile);
rename("csp-report.txt.tmp", "csp-report.txt");
?>
Modified: trunk/Source/WebCore/ChangeLog (116267 => 116268)
--- trunk/Source/WebCore/ChangeLog 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/Source/WebCore/ChangeLog 2012-05-07 04:34:30 UTC (rev 116268)
@@ -1,3 +1,20 @@
+2012-05-06 Adam Barth <aba...@webkit.org>
+
+ Content Security Policy reports should be reported with content-type application/json, should contain all required fields
+ https://bugs.webkit.org/show_bug.cgi?id=61360
+
+ Reviewed by Eric Seidel.
+
+ This patch changes ContentSecurityPolicy to use JSON format for sending
+ violation reports rather than wwwform-encoding. This patch aligns our
+ behavior with the specification and with Mozilla. A follow up patch
+ will update the list of fields in the report to match the spec.
+
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::reportContentSecurityPolicyViolation):
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::reportViolation):
+
2012-05-06 Mary Wu <mary...@torchmobile.com.cn>
[BlackBerry] Support html5 download attribute.
Modified: trunk/Source/WebCore/loader/PingLoader.cpp (116267 => 116268)
--- trunk/Source/WebCore/loader/PingLoader.cpp 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/Source/WebCore/loader/PingLoader.cpp 2012-05-07 04:34:30 UTC (rev 116268)
@@ -110,7 +110,7 @@
request.setTargetType(ResourceRequest::TargetIsSubresource);
#endif
request.setHTTPMethod("POST");
- request.setHTTPContentType("application/x-www-form-urlencoded");
+ request.setHTTPContentType("application/json");
request.setHTTPBody(report);
frame->loader()->addExtraFieldsToSubresourceRequest(request);
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (116267 => 116268)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-05-07 04:15:47 UTC (rev 116267)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-05-07 04:34:30 UTC (rev 116268)
@@ -31,6 +31,7 @@
#include "FormData.h"
#include "FormDataList.h"
#include "Frame.h"
+#include "InspectorValues.h"
#include "PingLoader.h"
#include "ScriptCallStack.h"
#include "SecurityOrigin.h"
@@ -601,13 +602,16 @@
// sent explicitly. As for which directive was violated, that's pretty
// harmless information.
- FormDataList reportList(UTF8Encoding());
- reportList.appendData("document-url", document->url());
+ RefPtr<InspectorObject> cspReport = InspectorObject::create();
+ cspReport->setString("document-uri", document->url());
if (!directiveText.isEmpty())
- reportList.appendData("violated-directive", directiveText);
+ cspReport->setString("violated-directive", directiveText);
- RefPtr<FormData> report = FormData::create(reportList, UTF8Encoding());
+ RefPtr<InspectorObject> reportObject = InspectorObject::create();
+ reportObject->setObject("csp-report", cspReport.release());
+ RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
+
for (size_t i = 0; i < m_reportURLs.size(); ++i)
PingLoader::reportContentSecurityPolicyViolation(frame, m_reportURLs[i], report);
}
