Changeset 116268 in webkit

Timestamp:

May 6, 2012 9:34:30 PM (12 years ago)

Author:

abarth@webkit.org

Message:

Content Security Policy reports should be reported with content-type application/json, should contain all required fields
​https://bugs.webkit.org/show_bug.cgi?id=61360

Reviewed by Eric Seidel.

Source/WebCore:

This patch changes ContentSecurityPolicy to use JSON format for sending
violation reports rather than wwwform-encoding. This patch aligns our
behavior with the specification and with Mozilla. A follow up patch
will update the list of fields in the report to match the spec.

• loader/PingLoader.cpp:

(WebCore::PingLoader::reportContentSecurityPolicyViolation):

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::reportViolation):

LayoutTests:

Update results to show JSON format.

• http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
• http/tests/security/contentSecurityPolicy/report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
• http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
• http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
• http/tests/security/contentSecurityPolicy/resources/save-report.php:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/PingLoader.cpp (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-06  Adam Barth  <abarth@webkit.org>
+
+        Content Security Policy reports should be reported with content-type application/json, should contain all required fields
+        https://bugs.webkit.org/show_bug.cgi?id=61360
+
+        Reviewed by Eric Seidel.
+
+        Update results to show JSON format.
+
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+        * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+
 2012-05-06  Kenichi Ishibashi  <bashi@chromium.org>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

@@ -5 +5 @@
 
 CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
 REQUEST_METHOD: POST
 === POST DATA ===
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","violated-directive":"script-src 'self'"}}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

@@ -3 +3 @@
 ALERT: PASS
 CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
 REQUEST_METHOD: POST
 === POST DATA ===
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","violated-directive":"script-src 'self'"}}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

@@ -3 +3 @@
 ALERT: PASS
 CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
 REQUEST_METHOD: POST
 === POST DATA ===
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","violated-directive":"script-src 'self'"}}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

@@ -2 +2 @@
 
 CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
 REQUEST_METHOD: POST
 === POST DATA ===
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","violated-directive":"script-src 'self'"}}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

@@ -7 +7 @@
 --------
 CSP report received:
-CONTENT_TYPE: application/x-www-form-urlencoded
+CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html
 REQUEST_METHOD: POST
 === POST DATA ===
-document-url: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html
-violated-directive: script-src 'self'
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","violated-directive":"script-src 'self'"}}

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php

@@ -16 +16 @@
 }
 fwrite($reportFile, "=== POST DATA ===\n");
-foreach ($_POST as $name => $value) {
-    $name = undoMagicQuotes($name);
-    $value = undoMagicQuotes($value);
-    fwrite($reportFile, "$name: $value\n");
-}
+fwrite($reportFile, file_get_contents("php://input"));
 fclose($reportFile);
 rename("csp-report.txt.tmp", "csp-report.txt");

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-05-06  Adam Barth  <abarth@webkit.org>
+
+        Content Security Policy reports should be reported with content-type application/json, should contain all required fields
+        https://bugs.webkit.org/show_bug.cgi?id=61360
+
+        Reviewed by Eric Seidel.
+
+        This patch changes ContentSecurityPolicy to use JSON format for sending
+        violation reports rather than wwwform-encoding.  This patch aligns our
+        behavior with the specification and with Mozilla.  A follow up patch
+        will update the list of fields in the report to match the spec.
+
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::reportContentSecurityPolicyViolation):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::reportViolation):
+
 2012-05-06  Mary Wu  <mary.wu@torchmobile.com.cn>
 

trunk/Source/WebCore/loader/PingLoader.cpp

@@ -111 +111 @@
 #endif
     request.setHTTPMethod("POST");
-    request.setHTTPContentType("application/x-www-form-urlencoded");
+    request.setHTTPContentType("application/json");
     request.setHTTPBody(report);
     frame->loader()->addExtraFieldsToSubresourceRequest(request);

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -32 +32 @@
 #include "FormDataList.h"
 #include "Frame.h"
+#include "InspectorValues.h"
 #include "PingLoader.h"
 #include "ScriptCallStack.h"
@@ -602 +603 @@
     // harmless information.
 
-    FormDataList reportList(UTF8Encoding());
-    reportList.appendData("document-url", document->url());
+    RefPtr<InspectorObject> cspReport = InspectorObject::create();
+    cspReport->setString("document-uri", document->url());
     if (!directiveText.isEmpty())
-        reportList.appendData("violated-directive", directiveText);
-
-    RefPtr<FormData> report = FormData::create(reportList, UTF8Encoding());
+        cspReport->setString("violated-directive", directiveText);
+
+    RefPtr<InspectorObject> reportObject = InspectorObject::create();
+    reportObject->setObject("csp-report", cspReport.release());
+
+    RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
 
     for (size_t i = 0; i < m_reportURLs.size(); ++i)