Changeset 129168 in webkit


Ignore:
Timestamp:
Sep 20, 2012 2:25:09 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

CSP reports should send an empty "blocked-uri" rather than nothing.
https://bugs.webkit.org/show_bug.cgi?id=97256

Patch by Mike West <mkwst@chromium.org> on 2012-09-20
Reviewed by Adam Barth.

Source/WebCore:

In cases where a Content Security Policy violation report is generated
without blocking a resource at a particular URI (inline scripts, for
example), we currently leave the "blocked-uri" attribute out of the
report entirely. For the same reason that we included the "referrer"
attribute in webkit.org/b/97233, we should include an explicitly empty
"blocked-uri" in these cases.

This new behavior is covered by updates to existing test expectations
around the reporting functionality.

  • page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reportViolation):

If the 'blocked-uri' is invalid, add a "blocked-uri" attribute that
is explicitly empty.

LayoutTests:

  • http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:

Updating test expectations to include an explicitly empty
"blocked-uri" as opposed to leaving it off entirely.

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r129163 r129168  
     12012-09-20  Mike West  <mkwst@chromium.org>
     2
     3        CSP reports should send an empty "blocked-uri" rather than nothing.
     4        https://bugs.webkit.org/show_bug.cgi?id=97256
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
     9        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
     10        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
     11        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
     13            Updating test expectations to include an explicitly empty
     14            "blocked-uri" as opposed to leaving it off entirely.
     15
    1162012-09-20  Simon Fraser  <simon.fraser@apple.com>
    217

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

    r129150 r129168  
    99REQUEST_METHOD: POST
    1010=== POST DATA ===
    11 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
     11{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

    r129150 r129168  
    77REQUEST_METHOD: POST
    88=== POST DATA ===
    9 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
     9{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

    r129150 r129168  
    77REQUEST_METHOD: POST
    88=== POST DATA ===
    9 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
     9{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

    r129150 r129168  
    66REQUEST_METHOD: POST
    77=== POST DATA ===
    8 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
     8{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":""}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

    r118585 r129168  
    1111REQUEST_METHOD: POST
    1212=== POST DATA ===
    13 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri save-report.php"}}
     13{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri save-report.php","blocked-uri":""}}

  • trunk/Source/WebCore/ChangeLog

    r129165 r129168  
     12012-09-20  Mike West  <mkwst@chromium.org>
     2
     3        CSP reports should send an empty "blocked-uri" rather than nothing.
     4        https://bugs.webkit.org/show_bug.cgi?id=97256
     5
     6        Reviewed by Adam Barth.
     7
     8        In cases where a Content Security Policy violation report is generated
     9        without blocking a resource at a particular URI (inline scripts, for
     10        example), we currently leave the "blocked-uri" attribute out of the
     11        report entirely. For the same reason that we included the "referrer"
     12        attribute in webkit.org/b/97233, we should include an explicitly empty
     13        "blocked-uri" in these cases.
     14
     15        This new behavior is covered by updates to existing test expectations
     16        around the reporting functionality.
     17
     18        * page/ContentSecurityPolicy.cpp:
     19        (WebCore::ContentSecurityPolicy::reportViolation):
     20            If the 'blocked-uri' is invalid, add a "blocked-uri" attribute that
     21            is explicitly empty.
     22
    1232012-09-20  Patrick Gansterer  <paroga@webkit.org>
    224

  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r129150 r129168  
    15281528    if (blockedURL.isValid())
    15291529        cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
     1530    else
     1531        cspReport->setString("blocked-uri", String());
    15301532
    15311533    RefPtr<InspectorObject> reportObject = InspectorObject::create();
Note: See TracChangeset for help on using the changeset viewer.