Changeset 206278 in webkit
- Timestamp:
- Sep 22, 2016 2:39:29 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 49 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r206277 r206278 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [CSP] Violation report may be sent to wrong domain on frame-ancestors violation 4 https://bugs.webkit.org/show_bug.cgi?id=162079 5 <rdar://problem/28321575> 6 7 Reviewed by Andy Estes. 8 9 Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means 10 to validate that the CSP violation report was sent to the appropriate host. Update test expectations. 11 12 Note that the presence of "localhost" in the HTTP Host header in the test results for tests 13 security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and 14 security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 15 verify that we resolve a relative URL CSP report URI with respect to the blocked URL. 16 17 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt: 18 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt: 19 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html: 20 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html: 21 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt: 22 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt: 23 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html: 24 * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html: 25 * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: 26 * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt: 27 * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt: 28 * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt: 29 * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt: 30 * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt: 31 * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt: 32 * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt: 33 * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt: 34 * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt: 35 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt: 36 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt: 37 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt: 38 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt: 39 * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: 40 * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: 41 * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: 42 * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: 43 * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: 44 * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: 45 * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: 46 * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: 47 * http/tests/security/contentSecurityPolicy/report-only-expected.txt: 48 * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: 49 * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt: 50 * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: 51 * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: 52 * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: 53 * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt: 54 * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: 55 * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: 56 * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: 57 * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: 58 * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt: 59 * http/tests/security/contentSecurityPolicy/resources/save-report.php: 60 * http/tests/security/xssAuditor/report-script-tag-expected.txt: 61 * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt: 62 * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt: 63 1 64 2016-09-22 Daniel Bates <dabates@apple.com> 2 65 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt
r198591 r206278 1 CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.1 CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy. 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: localhost:8000 4 5 REQUEST_METHOD: POST 5 6 === POST DATA === 6 {"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}7 {"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}} -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt
r198591 r206278 1 CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.1 CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy. 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: localhost:8443 4 5 REQUEST_METHOD: POST 5 6 === POST DATA === 6 {"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}7 {"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}} -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
r197972 r206278 12 12 function navigateToReport() 13 13 { 14 window.location = "http:// 127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";14 window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html"; 15 15 } 16 16 </script> 17 17 </head> 18 <iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>18 <iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe> 19 19 </body> 20 20 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html
r197972 r206278 12 12 function navigateToReport() 13 13 { 14 window.location = "http:// 127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";14 window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html"; 15 15 } 16 16 </script> 17 17 </head> 18 <iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>18 <iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe> 19 19 </body> 20 20 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt
r198591 r206278 1 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.1 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy. 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 REQUEST_METHOD: POST 5 6 === POST DATA === 6 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}7 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}} -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt
r198591 r206278 1 CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.1 CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy. 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8443 4 5 REQUEST_METHOD: POST 5 6 === POST DATA === 6 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}7 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}} -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html
r197972 r206278 16 16 </script> 17 17 </head> 18 <iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>18 <iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe> 19 19 </body> 20 20 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html
r197972 r206278 16 16 </script> 17 17 </head> 18 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+ ../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>18 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe> 19 19 </body> 20 20 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt
r203434 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php 12 13 REQUEST_METHOD: POST … … 19 20 CSP report received: 20 21 CONTENT_TYPE: application/csp-report 22 HTTP_HOST: 127.0.0.1:8000 21 23 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php 22 24 REQUEST_METHOD: POST … … 29 31 CSP report received: 30 32 CONTENT_TYPE: application/csp-report 33 HTTP_HOST: 127.0.0.1:8000 31 34 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php 32 35 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt
r203434 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt
r203434 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
r203434 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
r203434 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
r203434 r206278 11 11 CSP report received: 12 12 CONTENT_TYPE: application/csp-report 13 HTTP_HOST: 127.0.0.1:8000 13 14 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php 14 15 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt
r203434 r206278 11 11 CSP report received: 12 12 CONTENT_TYPE: application/csp-report 13 HTTP_HOST: 127.0.0.1:8000 13 14 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php 14 15 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
r203434 r206278 10 10 CSP report received: 11 11 CONTENT_TYPE: application/csp-report 12 HTTP_HOST: 127.0.0.1:8000 12 13 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php 13 14 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
r203434 r206278 10 10 CSP report received: 11 11 CONTENT_TYPE: application/csp-report 12 HTTP_HOST: 127.0.0.1:8000 12 13 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php 13 14 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
r203434 r206278 12 12 CSP report received: 13 13 CONTENT_TYPE: application/csp-report 14 HTTP_HOST: 127.0.0.1:8000 14 15 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php 15 16 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt
r203434 r206278 12 12 CSP report received: 13 13 CONTENT_TYPE: application/csp-report 14 HTTP_HOST: 127.0.0.1:8000 14 15 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php 15 16 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
r203434 r206278 10 10 CSP report received: 11 11 CONTENT_TYPE: application/csp-report 12 HTTP_HOST: 127.0.0.1:8000 12 13 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php 13 14 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
r203434 r206278 10 10 CSP report received: 11 11 CONTENT_TYPE: application/csp-report 12 HTTP_HOST: 127.0.0.1:8000 12 13 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php 13 14 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
r198591 r206278 4 4 CSP report received: 5 5 CONTENT_TYPE: application/csp-report 6 HTTP_HOST: 127.0.0.1:8000 6 7 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php 7 8 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: localhost:8080 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt
r196876 r206278 1 1 CSP report received: 2 2 CONTENT_TYPE: application/csp-report 3 HTTP_HOST: localhost:8080 3 4 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php 4 5 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt
r196876 r206278 1 1 CSP report received: 2 2 CONTENT_TYPE: application/csp-report 3 HTTP_HOST: localhost:8080 3 4 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php 4 5 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
r198591 r206278 3 3 CSP report received: 4 4 CONTENT_TYPE: application/csp-report 5 HTTP_HOST: 127.0.0.1:8000 5 6 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php 6 7 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
r198591 r206278 3 3 CSP report received: 4 4 CONTENT_TYPE: application/csp-report 5 HTTP_HOST: 127.0.0.1:8000 5 6 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php 6 7 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt
r201753 r206278 4 4 CSP report received: 5 5 CONTENT_TYPE: application/csp-report 6 HTTP_HOST: 127.0.0.1:8000 6 7 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php 7 8 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt
r196876 r206278 1 1 CSP report received: 2 2 CONTENT_TYPE: application/csp-report 3 HTTP_HOST: 127.0.0.1:8000 3 4 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php 4 5 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt
r198591 r206278 3 3 CONTENT_TYPE: application/csp-report 4 4 HTTP_COOKIE: hello=world 5 HTTP_HOST: 127.0.0.1:8000 5 6 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php 6 7 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt
r196876 r206278 2 2 CONTENT_TYPE: application/csp-report 3 3 HTTP_COOKIE: hello=world 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt
r198591 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/csp-report 11 HTTP_HOST: 127.0.0.1:8443 11 12 HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
r198591 r206278 7 7 CSP report received: 8 8 CONTENT_TYPE: application/csp-report 9 HTTP_HOST: 127.0.0.1:8000 9 10 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html 10 11 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
r198591 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/csp-report 4 HTTP_HOST: 127.0.0.1:8080 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php
r186663 r206278 12 12 ksort($httpHeaders, SORT_STRING); 13 13 foreach ($httpHeaders as $name => $value) { 14 if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" ) {14 if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") { 15 15 $value = undoMagicQuotes($value); 16 16 fwrite($reportFile, "$name: $value\n"); -
trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt
r176413 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/json 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E 12 13 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt
r176413 r206278 2 2 CSP report received: 3 3 CONTENT_TYPE: application/json 4 HTTP_HOST: 127.0.0.1:8000 4 5 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E 5 6 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt
r176413 r206278 9 9 CSP report received: 10 10 CONTENT_TYPE: application/json 11 HTTP_HOST: 127.0.0.1:8000 11 12 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E 12 13 REQUEST_METHOD: POST -
trunk/Source/WebCore/ChangeLog
r206277 r206278 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [CSP] Violation report may be sent to wrong domain on frame-ancestors violation 4 https://bugs.webkit.org/show_bug.cgi?id=162079 5 <rdar://problem/28321575> 6 7 Reviewed by Andy Estes. 8 9 Fixes an issue where a CSP violation report may be sent to the wrong domain when the 10 frame-ancestors directive is violated. In particular, when the frame-ancestors directive 11 is violated for a page that specifies a report URI that is a relative URL then the 12 report URI would be resolved with respect to the parent frame's document URL and hence 13 be sent to the domain of the parent frame's document. 14 15 * page/csp/ContentSecurityPolicy.cpp: 16 (WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect 17 to the blocked URL when we do not have a script execution context. 18 1 19 2016-09-22 Daniel Bates <dabates@apple.com> 2 20 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r206254 r206278 659 659 RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8()); 660 660 for (const auto& url : reportURIs) 661 PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);661 PingLoader::sendViolationReport(*frame, is<Document>(m_scriptExecutionContext) ? document.completeURL(url) : document.completeURL(url, blockedURL), report.copyRef(), ViolationReportType::ContentSecurityPolicy); 662 662 } 663 663
Note: See TracChangeset
for help on using the changeset viewer.