Changeset 206278 in webkit


Ignore:
Timestamp:
Sep 22, 2016 2:39:29 PM (8 years ago)
Author:
dbates@webkit.org
Message:

[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
https://bugs.webkit.org/show_bug.cgi?id=162079
<rdar://problem/28321575>

Reviewed by Andy Estes.

Source/WebCore:

Fixes an issue where a CSP violation report may be sent to the wrong domain when the
frame-ancestors directive is violated. In particular, when the frame-ancestors directive
is violated for a page that specifies a report URI that is a relative URL then the
report URI would be resolved with respect to the parent frame's document URL and hence
be sent to the domain of the parent frame's document.

  • page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
to the blocked URL when we do not have a script execution context.

LayoutTests:

Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
to validate that the CSP violation report was sent to the appropriate host. Update test expectations.

Note that the presence of "localhost" in the HTTP Host header in the test results for tests
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
verify that we resolve a relative URL CSP report URI with respect to the blocked URL.

  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
  • http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
  • http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
  • http/tests/security/contentSecurityPolicy/resources/save-report.php:
  • http/tests/security/xssAuditor/report-script-tag-expected.txt:
  • http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
  • http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
Location:
trunk
Files:
49 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r206277 r206278  
     12016-09-22  Daniel Bates  <dabates@apple.com>
     2
     3        [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
     4        https://bugs.webkit.org/show_bug.cgi?id=162079
     5        <rdar://problem/28321575>
     6
     7        Reviewed by Andy Estes.
     8
     9        Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
     10        to validate that the CSP violation report was sent to the appropriate host. Update test expectations.
     11
     12        Note that the presence of "localhost" in the HTTP Host header in the test results for tests
     13        security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
     14        security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
     15        verify that we resolve a relative URL CSP report URI with respect to the blocked URL.
     16
     17        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
     18        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
     19        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
     20        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
     21        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
     22        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
     23        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
     24        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
     25        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
     26        * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
     28        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     29        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
     30        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     31        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
     32        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
     33        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
     34        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     35        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
     36        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
     37        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
     38        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     39        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
     40        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
     41        * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
     42        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
     43        * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
     44        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
     45        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
     46        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
     47        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
     48        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
     49        * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
     50        * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
     51        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
     52        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
     53        * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
     54        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
     55        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
     56        * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
     57        * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
     58        * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
     59        * http/tests/security/contentSecurityPolicy/resources/save-report.php:
     60        * http/tests/security/xssAuditor/report-script-tag-expected.txt:
     61        * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
     62        * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
     63
    1642016-09-22  Daniel Bates  <dabates@apple.com>
    265
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt

    r198591 r206278  
    1 CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
     1CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: localhost:8000
    45REQUEST_METHOD: POST
    56=== POST DATA ===
    6 {"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
     7{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt

    r198591 r206278  
    1 CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
     1CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: localhost:8443
    45REQUEST_METHOD: POST
    56=== POST DATA ===
    6 {"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
     7{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html

    r197972 r206278  
    1212function navigateToReport()
    1313{
    14     window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
     14    window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
    1515}
    1616</script>
    1717</head>
    18 <iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
     18<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
    1919</body>
    2020</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html

    r197972 r206278  
    1212function navigateToReport()
    1313{
    14     window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
     14    window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
    1515}
    1616</script>
    1717</head>
    18 <iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
     18<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
    1919</body>
    2020</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt

    r198591 r206278  
    1 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
     1CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45REQUEST_METHOD: POST
    56=== POST DATA ===
    6 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
     7{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt

    r198591 r206278  
    1 CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
     1CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8443
    45REQUEST_METHOD: POST
    56=== POST DATA ===
    6 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
     7{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html

    r197972 r206278  
    1616</script>
    1717</head>
    18 <iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
     18<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
    1919</body>
    2020</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html

    r197972 r206278  
    1616</script>
    1717</head>
    18 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
     18<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
    1919</body>
    2020</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt

    r203434 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
    1213REQUEST_METHOD: POST
     
    1920CSP report received:
    2021CONTENT_TYPE: application/csp-report
     22HTTP_HOST: 127.0.0.1:8000
    2123HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
    2224REQUEST_METHOD: POST
     
    2931CSP report received:
    3032CONTENT_TYPE: application/csp-report
     33HTTP_HOST: 127.0.0.1:8000
    3134HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
    3235REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt

    r203434 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r203434 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

    r203434 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r203434 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt

    r203434 r206278  
    1111CSP report received:
    1212CONTENT_TYPE: application/csp-report
     13HTTP_HOST: 127.0.0.1:8000
    1314HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
    1415REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt

    r203434 r206278  
    1111CSP report received:
    1212CONTENT_TYPE: application/csp-report
     13HTTP_HOST: 127.0.0.1:8000
    1314HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
    1415REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

    r203434 r206278  
    1010CSP report received:
    1111CONTENT_TYPE: application/csp-report
     12HTTP_HOST: 127.0.0.1:8000
    1213HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
    1314REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r203434 r206278  
    1010CSP report received:
    1111CONTENT_TYPE: application/csp-report
     12HTTP_HOST: 127.0.0.1:8000
    1213HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
    1314REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt

    r203434 r206278  
    1212CSP report received:
    1313CONTENT_TYPE: application/csp-report
     14HTTP_HOST: 127.0.0.1:8000
    1415HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
    1516REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt

    r203434 r206278  
    1212CSP report received:
    1313CONTENT_TYPE: application/csp-report
     14HTTP_HOST: 127.0.0.1:8000
    1415HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
    1516REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

    r203434 r206278  
    1010CSP report received:
    1111CONTENT_TYPE: application/csp-report
     12HTTP_HOST: 127.0.0.1:8000
    1213HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
    1314REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r203434 r206278  
    1010CSP report received:
    1111CONTENT_TYPE: application/csp-report
     12HTTP_HOST: 127.0.0.1:8000
    1213HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
    1314REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

    r198591 r206278  
    44CSP report received:
    55CONTENT_TYPE: application/csp-report
     6HTTP_HOST: 127.0.0.1:8000
    67HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
    78REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: localhost:8080
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt

    r196876 r206278  
    11CSP report received:
    22CONTENT_TYPE: application/csp-report
     3HTTP_HOST: localhost:8080
    34HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
    45REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt

    r196876 r206278  
    11CSP report received:
    22CONTENT_TYPE: application/csp-report
     3HTTP_HOST: localhost:8080
    34HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
    45REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

    r198591 r206278  
    33CSP report received:
    44CONTENT_TYPE: application/csp-report
     5HTTP_HOST: 127.0.0.1:8000
    56HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
    67REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

    r198591 r206278  
    33CSP report received:
    44CONTENT_TYPE: application/csp-report
     5HTTP_HOST: 127.0.0.1:8000
    56HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
    67REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt

    r201753 r206278  
    44CSP report received:
    55CONTENT_TYPE: application/csp-report
     6HTTP_HOST: 127.0.0.1:8000
    67HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
    78REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt

    r196876 r206278  
    11CSP report received:
    22CONTENT_TYPE: application/csp-report
     3HTTP_HOST: 127.0.0.1:8000
    34HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
    45REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt

    r198591 r206278  
    33CONTENT_TYPE: application/csp-report
    44HTTP_COOKIE: hello=world
     5HTTP_HOST: 127.0.0.1:8000
    56HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
    67REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt

    r196876 r206278  
    22CONTENT_TYPE: application/csp-report
    33HTTP_COOKIE: hello=world
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt

    r198591 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/csp-report
     11HTTP_HOST: 127.0.0.1:8443
    1112HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

    r198591 r206278  
    77CSP report received:
    88CONTENT_TYPE: application/csp-report
     9HTTP_HOST: 127.0.0.1:8000
    910HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
    1011REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt

    r198591 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/csp-report
     4HTTP_HOST: 127.0.0.1:8080
    45HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php

    r186663 r206278  
    1212ksort($httpHeaders, SORT_STRING);
    1313foreach ($httpHeaders as $name => $value) {
    14     if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
     14    if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") {
    1515        $value = undoMagicQuotes($value);
    1616        fwrite($reportFile, "$name: $value\n");
  • trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt

    r176413 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/json
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
    1213REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt

    r176413 r206278  
    22CSP report received:
    33CONTENT_TYPE: application/json
     4HTTP_HOST: 127.0.0.1:8000
    45HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
    56REQUEST_METHOD: POST
  • trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt

    r176413 r206278  
    99CSP report received:
    1010CONTENT_TYPE: application/json
     11HTTP_HOST: 127.0.0.1:8000
    1112HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
    1213REQUEST_METHOD: POST
  • trunk/Source/WebCore/ChangeLog

    r206277 r206278  
     12016-09-22  Daniel Bates  <dabates@apple.com>
     2
     3        [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
     4        https://bugs.webkit.org/show_bug.cgi?id=162079
     5        <rdar://problem/28321575>
     6
     7        Reviewed by Andy Estes.
     8
     9        Fixes an issue where a CSP violation report may be sent to the wrong domain when the
     10        frame-ancestors directive is violated. In particular, when the frame-ancestors directive
     11        is violated for a page that specifies a report URI that is a relative URL then the
     12        report URI would be resolved with respect to the parent frame's document URL and hence
     13        be sent to the domain of the parent frame's document.
     14
     15        * page/csp/ContentSecurityPolicy.cpp:
     16        (WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
     17        to the blocked URL when we do not have a script execution context.
     18
    1192016-09-22  Daniel Bates  <dabates@apple.com>
    220
  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

    r206254 r206278  
    659659    RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
    660660    for (const auto& url : reportURIs)
    661         PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
     661        PingLoader::sendViolationReport(*frame, is<Document>(m_scriptExecutionContext) ? document.completeURL(url) : document.completeURL(url, blockedURL), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
    662662}
    663663
Note: See TracChangeset for help on using the changeset viewer.