[webkit-changes] [129150] trunk

[commit-queue]

Title: [129150] trunk

Revision

129150

Author

commit-qu...@webkit.org

Date

2012-09-20 11:52:31 -0700 (Thu, 20 Sep 2012)

Log Message

CSP reports should send an empty 'referrer' rather than nothing.
https://bugs.webkit.org/show_bug.cgi?id=97233

Patch by Mike West <mk...@chromium.org> on 2012-09-20
Reviewed by Adam Barth.

Source/WebCore:

Currently, if a protected resource doesn't have a referrer, then any
Content Security Policy violations send a report that doesn't contain
a referrer attribute. It's arguably friendlier to developers to include
an explicitly empty attribute.

This new behavior is covered by updates to existing test expectations
around the reporting functionality.

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation):
    Drop the 'if', and always write out a referrer.

LayoutTests:

* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
    Adding the empty 'referrer' attribute to the expectations.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (129149 => 129150)

--- trunk/LayoutTests/ChangeLog	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/ChangeLog	2012-09-20 18:52:31 UTC (rev 129150)
@@ -1,3 +1,18 @@
+2012-09-20  Mike West  <mk...@chromium.org>
+
+        CSP reports should send an empty 'referrer' rather than nothing.
+        https://bugs.webkit.org/show_bug.cgi?id=97233
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+            Adding the empty 'referrer' attribute to the expectations.
+
 2012-09-20  Simon Fraser  <simon.fra...@apple.com>
 
         Add WK2-specific result for this frame-flattening test (seems to be a scrollbars difference).

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -8,4 +8,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -5,4 +5,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080"}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -5,4 +5,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -6,4 +6,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -6,4 +6,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (129149 => 129150)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2012-09-20 18:52:31 UTC (rev 129150)
@@ -5,4 +5,4 @@
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
 REQUEST_METHOD: POST
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}

Modified: trunk/Source/WebCore/ChangeLog (129149 => 129150)

--- trunk/Source/WebCore/ChangeLog	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/Source/WebCore/ChangeLog	2012-09-20 18:52:31 UTC (rev 129150)
@@ -1,3 +1,22 @@
+2012-09-20  Mike West  <mk...@chromium.org>
+
+        CSP reports should send an empty 'referrer' rather than nothing.
+        https://bugs.webkit.org/show_bug.cgi?id=97233
+
+        Reviewed by Adam Barth.
+
+        Currently, if a protected resource doesn't have a referrer, then any
+        Content Security Policy violations send a report that doesn't contain
+        a referrer attribute. It's arguably friendlier to developers to include
+        an explicitly empty attribute.
+
+        This new behavior is covered by updates to existing test expectations
+        around the reporting functionality.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation):
+            Drop the 'if', and always write out a referrer.
+
 2012-09-20  David Barton  <dbar...@mathscribe.com>
 
         [MathML] Increase visual space around fraction parts, italic variables, and operators

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (129149 => 129150)

--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-09-20 18:42:23 UTC (rev 129149)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-09-20 18:52:31 UTC (rev 129150)
@@ -1521,8 +1521,7 @@
     RefPtr<InspectorObject> cspReport = InspectorObject::create();
     cspReport->setString("document-uri", document->url().strippedForUseAsReferrer());
     String referrer = document->referrer();
-    if (!referrer.isEmpty())
-        cspReport->setString("referrer", referrer);
+    cspReport->setString("referrer", referrer);
     if (!directiveText.isEmpty())
         cspReport->setString("violated-directive", directiveText);
     cspReport->setString("original-policy", header);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes