- Revision
- 129168
- Author
- [email protected]
- Date
- 2012-09-20 14:25:09 -0700 (Thu, 20 Sep 2012)
Log Message
CSP reports should send an empty "blocked-uri" rather than nothing.
https://bugs.webkit.org/show_bug.cgi?id=97256
Patch by Mike West <[email protected]> on 2012-09-20
Reviewed by Adam Barth.
Source/WebCore:
In cases where a Content Security Policy violation report is generated
without blocking a resource at a particular URI (inline scripts, for
example), we currently leave the "blocked-uri" attribute out of the
report entirely. For the same reason that we included the "referrer"
attribute in webkit.org/b/97233, we should include an explicitly empty
"blocked-uri" in these cases.
This new behavior is covered by updates to existing test expectations
around the reporting functionality.
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation):
If the 'blocked-uri' is invalid, add a "blocked-uri" attribute that
is explicitly empty.
LayoutTests:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
Updating test expectations to include an explicitly empty
"blocked-uri" as opposed to leaving it off entirely.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (129167 => 129168)
--- trunk/LayoutTests/ChangeLog 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/ChangeLog 2012-09-20 21:25:09 UTC (rev 129168)
@@ -1,3 +1,18 @@
+2012-09-20 Mike West <[email protected]>
+
+ CSP reports should send an empty "blocked-uri" rather than nothing.
+ https://bugs.webkit.org/show_bug.cgi?id=97256
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ Updating test expectations to include an explicitly empty
+ "blocked-uri" as opposed to leaving it off entirely.
+
2012-09-20 Simon Fraser <[email protected]>
media/track/track-cue-rendering-inner-timestamps.html times out.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (129167 => 129168)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2012-09-20 21:25:09 UTC (rev 129168)
@@ -8,4 +8,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (129167 => 129168)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2012-09-20 21:25:09 UTC (rev 129168)
@@ -6,4 +6,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (129167 => 129168)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2012-09-20 21:25:09 UTC (rev 129168)
@@ -6,4 +6,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (129167 => 129168)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2012-09-20 21:25:09 UTC (rev 129168)
@@ -5,4 +5,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (129167 => 129168)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2012-09-20 21:25:09 UTC (rev 129168)
@@ -10,4 +10,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri save-report.php","blocked-uri":""}}
Modified: trunk/Source/WebCore/ChangeLog (129167 => 129168)
--- trunk/Source/WebCore/ChangeLog 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/Source/WebCore/ChangeLog 2012-09-20 21:25:09 UTC (rev 129168)
@@ -1,3 +1,25 @@
+2012-09-20 Mike West <[email protected]>
+
+ CSP reports should send an empty "blocked-uri" rather than nothing.
+ https://bugs.webkit.org/show_bug.cgi?id=97256
+
+ Reviewed by Adam Barth.
+
+ In cases where a Content Security Policy violation report is generated
+ without blocking a resource at a particular URI (inline scripts, for
+ example), we currently leave the "blocked-uri" attribute out of the
+ report entirely. For the same reason that we included the "referrer"
+ attribute in webkit.org/b/97233, we should include an explicitly empty
+ "blocked-uri" in these cases.
+
+ This new behavior is covered by updates to existing test expectations
+ around the reporting functionality.
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation):
+ If the 'blocked-uri' is invalid, add a "blocked-uri" attribute that
+ is explicitly empty.
+
2012-09-20 Patrick Gansterer <[email protected]>
Add String::numberToFixedPrecisionString()
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (129167 => 129168)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-20 21:16:54 UTC (rev 129167)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-20 21:25:09 UTC (rev 129168)
@@ -1527,6 +1527,8 @@
cspReport->setString("original-policy", header);
if (blockedURL.isValid())
cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
+ else
+ cspReport->setString("blocked-uri", String());
RefPtr<InspectorObject> reportObject = InspectorObject::create();
reportObject->setObject("csp-report", cspReport.release());
