Changeset 286150 in webkit

Timestamp:

Nov 24, 2021 8:20:55 AM (8 months ago)

Author:

Patrick Griffis

Message:

CSP: Implement submitting samples in violation reports
​https://bugs.webkit.org/show_bug.cgi?id=233398

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update expectations with more passes.

• web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt:

Source/WebCore:

This implements handling 'report-sample' directive and submits a sample
for style-src and script-src. It doesn't currently extract the source
from eval() yet.

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
(WebCore::ContentSecurityPolicy::allowInlineScript const):
(WebCore::ContentSecurityPolicy::allowInlineStyle const):
(WebCore::ContentSecurityPolicy::allowFrameAncestors const):
(WebCore::ContentSecurityPolicy::allowPluginType const):
(WebCore::ContentSecurityPolicy::allowObjectFromSource const):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
(WebCore::ContentSecurityPolicy::allowResourceFromSource const):
(WebCore::ContentSecurityPolicy::allowConnectToSource const):
(WebCore::ContentSecurityPolicy::allowBaseURI const):
(WebCore::ContentSecurityPolicy::reportViolation const):

• page/csp/ContentSecurityPolicy.h:
• page/csp/ContentSecurityPolicyClient.h:
• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::shouldReportSample const):

• page/csp/ContentSecurityPolicyDirectiveList.h:
• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::parseSource):

• page/csp/ContentSecurityPolicySourceList.h:

(WebCore::ContentSecurityPolicySourceList::shouldReportSample const):

• page/csp/ContentSecurityPolicySourceListDirective.h:

(WebCore::ContentSecurityPolicySourceListDirective::shouldReportSample const):

Location:

trunk

Files:

• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (16 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyClient.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (modified) (1 diff)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-11-24  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Implement submitting samples in violation reports
+        https://bugs.webkit.org/show_bug.cgi?id=233398
+
+        Reviewed by Kate Cheney.
+
+        Update expectations with more passes.
+
+        * web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt:
+
 2021-11-24  Manuel Rego Casasnovas  <rego@igalia.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''report-sample''. It will be ignored.
-CONSOLE MESSAGE: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 
 
 Harness Error (TIMEOUT), message = null
 
-TIMEOUT Inline script should have a sample. Test timed out
-TIMEOUT Inline event handlers should have a sample. Test timed out
+PASS Inline script should have a sample.
+PASS Inline event handlers should have a sample.
 TIMEOUT JavaScript URLs in iframes should have a sample. Test timed out
 TIMEOUT eval() should have a sample. Test timed out

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because 'unsafe-eval' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 
 
 Harness Error (TIMEOUT), message = null
 
-TIMEOUT Inline script should not have a sample. Test timed out
-TIMEOUT Inline event handlers should not have a sample. Test timed out
+PASS Inline script should not have a sample.
+PASS Inline event handlers should not have a sample.
 TIMEOUT JavaScript URLs in iframes should not have a sample. Test timed out
-TIMEOUT eval()-alikes should not have a sample. Test timed out
+PASS eval()-alikes should not have a sample.
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt

@@ -1 +1 @@
 
-FAIL Inline style blocks should have a sample. assert_equals: expected "p { omg: yay !important; }" but got ""
-FAIL Inline style attributes should have a sample. assert_equals: expected "omg: yay !important;" but got ""
+PASS Inline style blocks should have a sample.
+PASS Inline style attributes should have a sample.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-11-24  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Implement submitting samples in violation reports
+        https://bugs.webkit.org/show_bug.cgi?id=233398
+
+        Reviewed by Kate Cheney.
+
+        This implements handling 'report-sample' directive and submits a sample
+        for style-src and script-src. It doesn't currently extract the source
+        from eval() yet.
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+        (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+        (WebCore::ContentSecurityPolicy::allowInlineScript const):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle const):
+        (WebCore::ContentSecurityPolicy::allowFrameAncestors const):
+        (WebCore::ContentSecurityPolicy::allowPluginType const):
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource const):
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
+        (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+        (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+        (WebCore::ContentSecurityPolicy::allowBaseURI const):
+        (WebCore::ContentSecurityPolicy::reportViolation const):
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyClient.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::shouldReportSample const):
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parseSource):
+        * page/csp/ContentSecurityPolicySourceList.h:
+        (WebCore::ContentSecurityPolicySourceList::shouldReportSample const):
+        * page/csp/ContentSecurityPolicySourceListDirective.h:
+        (WebCore::ContentSecurityPolicySourceListDirective::shouldReportSample const):
+
 2021-11-24  Ziran Sun  <zsun@igalia.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -407 +407 @@
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
         // FIXME (rdar://83332874) implement scriptSrcElem properly.
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()));
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
         if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -424 +424 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -475 +475 @@
         TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), scriptContent, sourcePosition);
     };
 
@@ -488 +488 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, scriptContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -508 +508 @@
         auto name = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? ContentSecurityPolicyDirectiveNames::styleSrcAttr : ContentSecurityPolicyDirectiveNames::styleSrcElem;
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
+        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, styleContent, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
     };
 
@@ -546 +546 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor, frame);
@@ -574 +574 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestorOrigins, ancestorOrigins);
@@ -587 +587 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url, "Refused to load", "its MIME type");
-        reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType, type, typeAttribute);
@@ -603 +603 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url, "Refused to load");
-        reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
@@ -617 +617 @@
         const char* effectiveViolatedDirective = violatedDirective.name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
         String consoleMessage = consoleMessageForViolation(effectiveViolatedDirective, violatedDirective, url, "Refused to load");
-        reportViolation(effectiveViolatedDirective, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(effectiveViolatedDirective, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
@@ -631 +631 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(name, violatedDirective, blockedURL, "Refused to load");
-        reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
@@ -684 +684 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
-        reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition, preRedirectURL);
+        reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition, preRedirectURL);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
@@ -704 +704 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url, "Refused to change the document base URL to");
-        reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+        reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
     };
     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
@@ -725 +725 @@
 void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
 {
-    // FIXME: Extract source file and source position from JSC::ExecState.
-    return reportViolation(violatedDirective, effectiveViolatedDirective.nameForReporting().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+    // FIXME: Extract source file, content, and position from JSC::ExecState.
+    return reportViolation(violatedDirective, effectiveViolatedDirective.nameForReporting().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
 }
 
 void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
 {
-    // FIXME: Extract source file and source position from JSC::ExecState.
-    return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
-}
-
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
-{
-    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL, element);
-}
-
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
+    // FIXME: Extract source file, content, and position from JSC::ExecState.
+    return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), StringView(), TextPosition(OrdinalNumber::beforeFirst(), OrdinalNumber::beforeFirst()), state);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
+{
+    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourceContent, sourcePosition, state, preRedirectURL, element);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
 {
     logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -754 +754 @@
     info.lineNumber = sourcePosition.m_line.oneBasedInt();
     info.columnNumber = sourcePosition.m_column.oneBasedInt();
+    info.sample = violatedDirectiveList.shouldReportSample(violatedDirective) ? sourceContent.left(40).toString() : emptyString();
 
     if (m_client)
@@ -802 +803 @@
     violationEventInit.lineNumber =  info.lineNumber;
     violationEventInit.columnNumber = info.columnNumber;
+    violationEventInit.sample = info.sample;
     violationEventInit.bubbles = true;
     if (m_client)

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -224 +224 @@
     void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
     void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicyClient.h

@@ -37 +37 @@
     String documentURI;
     String sourceFile;
+    String sample;
     int lineNumber { 0 };
     int columnNumber { 0 };

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -643 +643 @@
 }
 
+bool ContentSecurityPolicyDirectiveList::shouldReportSample(const String& violatedDirective) const
+{
+    ContentSecurityPolicySourceListDirective* directive = nullptr;
+    if (violatedDirective.startsWith(ContentSecurityPolicyDirectiveNames::styleSrc))
+        directive = m_styleSrc.get();
+    else if (violatedDirective.startsWith(ContentSecurityPolicyDirectiveNames::scriptSrc))
+        directive = m_scriptSrc.get();
+
+    return directive && directive->shouldReportSample();
+}
+
 } // namespace WebCore

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -87 +87 @@
     const String& webAssemblyDisabledErrorMessage() const { return m_webAssemblyDisabledErrorMessage; }
     bool isReportOnly() const { return m_reportOnly; }
+    bool shouldReportSample(const String&) const;
     const Vector<String>& reportURIs() const { return m_reportURIs; }
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -249 +249 @@
     }
 
+    if (skipExactlyIgnoringASCIICase(buffer, "'report-sample'")) {
+        m_reportSample = true;
+        return source;
+    }
+
     auto begin = buffer.position();
     auto beginHost = begin;

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

@@ -56 +56 @@
     bool allowNonParserInsertedScripts() const { return m_allowNonParserInsertedScripts; }
     bool allowUnsafeHashes() const { return m_allowUnsafeHashes; }
+    bool shouldReportSample() const { return m_reportSample; }
 
 private:
@@ -97 +98 @@
     bool m_allowNonParserInsertedScripts { false };
     bool m_allowUnsafeHashes { false };
+    bool m_reportSample { false };
 };
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h

@@ -46 +46 @@
     bool allowEval() const { return m_sourceList.allowEval(); }
     bool allowNonParserInsertedScripts() const { return m_sourceList.allowNonParserInsertedScripts(); }
+    bool shouldReportSample() const { return m_sourceList.shouldReportSample(); }
 
     OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed(); }