Changeset 133323 in webkit

Timestamp:

Nov 2, 2012 11:50:57 AM (11 years ago)

Author:

tsepez@chromium.org

Message:

Support X-XSS-Protection: report=URL header syntax in XSSAuditor.
​https://bugs.webkit.org/show_bug.cgi?id=100892

Reviewed by Adam Barth.

Source/WebCore:

This patch adds a security feature which allows a violation report to be sent back
to a site when the XSSAuditor detects a reflected XSS against it. It uses the same
reporting mechanism as for CSP violation reports.

Tests: http/tests/security/xssAuditor/malformed-xss-protection-header-5.html

http/tests/security/xssAuditor/malformed-xss-protection-header-6.html
http/tests/security/xssAuditor/malformed-xss-protection-header-7.html
http/tests/security/xssAuditor/malformed-xss-protection-header-8.html
http/tests/security/xssAuditor/malformed-xss-protection-header-9.html
http/tests/security/xssAuditor/report-script-tag.html
http/tests/security/xssAuditor/xss-protection-parsing-03.html
http/tests/security/xssAuditor/xss-protection-parsing-04.html

• html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::XSSAuditor):
(WebCore::XSSAuditor::init):
(WebCore::XSSAuditor::filterToken):
Invoke Ping loader's violation reporting, if requested, when a reflected
XSS is detected.

• html/parser/XSSAuditor.h:

XSSAuditor class need to store the report URL as well as the undigested versions
of the request URL and request body for reporting.

• loader/MixedContentChecker.cpp:

(WebCore):

• loader/MixedContentChecker.h:

(MixedContentChecker):
Make isMixedContent() method public.

• loader/PingLoader.cpp:

(WebCore::PingLoader::sendViolationReport):

• loader/PingLoader.h:

(PingLoader):

• page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reportViolation):
Renamed reportContentSecurityPolicyViolation() method to sendViolationReport(),
since this is now used to send more than just CSP violations.

• platform/network/HTTPParsers.cpp:

(WebCore):
(WebCore::skipEquals):
(WebCore::skipValue):
(WebCore::parseXSSProtectionHeader):

• platform/network/HTTPParsers.h:

Parse and return report= directive in X-XSS-Protection header.

LayoutTests:

• http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
• http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
• http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
• http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
• http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-5.html: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-6.html: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-7.html: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-8.html: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt: Added.
• http/tests/security/xssAuditor/malformed-xss-protection-header-9.html: Added.
• http/tests/security/xssAuditor/report-script-tag-expected.txt: Added.
• http/tests/security/xssAuditor/report-script-tag.html: Added.
• http/tests/security/xssAuditor/resources/echo-intertag.pl:
• http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt: Added.
• http/tests/security/xssAuditor/xss-protection-parsing-03.html: Added.
• http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt: Added.
• http/tests/security/xssAuditor/xss-protection-parsing-04.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5.html (added)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6.html (added)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7.html (added)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8.html (added)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9.html (added)
• LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/report-script-tag.html (added)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (modified) (4 diffs)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03.html (added)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/XSSAuditor.cpp (modified) (7 diffs)
• Source/WebCore/html/parser/XSSAuditor.h (modified) (2 diffs)
• Source/WebCore/loader/MixedContentChecker.cpp (modified) (1 diff)
• Source/WebCore/loader/MixedContentChecker.h (modified) (2 diffs)
• Source/WebCore/loader/PingLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/PingLoader.h (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (1 diff)
• Source/WebCore/platform/network/HTTPParsers.cpp (modified) (3 diffs)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-11-02  Tom Sepez  <tsepez@chromium.org>
+
+        Support X-XSS-Protection: report=URL header syntax in XSSAuditor.
+        https://bugs.webkit.org/show_bug.cgi?id=100892
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-5.html: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-6.html: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-7.html: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-8.html: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-9.html: Added.
+        * http/tests/security/xssAuditor/report-script-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/report-script-tag.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+        * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt: Added.
+        * http/tests/security/xssAuditor/xss-protection-parsing-03.html: Added.
+        * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt: Added.
+        * http/tests/security/xssAuditor/xss-protection-parsing-04.html: Added.
+
 2012-11-02  Ian Vollick  <vollick@chromium.org>
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: extra characters follow valid header. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: extra characters follow valid header. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
+This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
+This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
+This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: extra characters follow valid header. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
+This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: extra characters follow valid header. The default protections will be applied.
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied.
 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
+This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

@@ -14 +14 @@
     print "X-XSS-Protection: 1; mode=block\n";
 }
+if ($cgi->param('enable-report')) {
+    print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report.php\n";
+}
+
 if ($cgi->param('valid-header') == 1) {
     print "X-XSS-Protection:   1  ;MoDe =  bLocK   \n";
@@ -20 +24 @@
     print "X-XSS-Protection: 1; \n";
 }
+if ($cgi->param('valid-header') == 3) {
+    print "X-XSS-Protection: 1; mode=block; \n";
+}
+if ($cgi->param('valid-header') == 4) {
+    print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report.php; mode=block; \n";
+}
+
 if ($cgi->param('malformed-header') == 1) {
     print "X-XSS-Protection: 12345678901234567\n";
@@ -31 +42 @@
 if ($cgi->param('malformed-header') == 4) {
     print "X-XSS-Protection: 1; mode=block-a-block-block\n";
+}
+if ($cgi->param('malformed-header') == 5) {
+    print "X-XSS-Protection: 1; mode=block; report\n";
+}
+if ($cgi->param('malformed-header') == 6) {
+    print "X-XSS-Protection: 1; report= ;\n";
+}
+if ($cgi->param('malformed-header') == 7) {
+    print "X-XSS-Protection: 1; red\n";
+}
+if ($cgi->param('malformed-header') == 8) {
+    print "X-XSS-Protection: 1; mode=block; report=/fail; mode=block;\n";
+}
+if ($cgi->param('malformed-header') == 9) {
+    print "X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;\n";
 }
 
@@ -72 +98 @@
     print "<script>if (/xssAuditorTestCookie/.test(document.cookie)) { alert('FAIL: ' + document.cookie); document.cookie = 'xssAuditorTestCookie=remove; max-age=-1'; } else alert('PASS');</script>\n";
 }
+if ($cgi->param('echo-report')) {
+    print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-report.js></script>\n";
+}
 print "</body>\n";
 print "</html>\n";

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-11-02  Tom Sepez  <tsepez@chromium.org>
+
+        Support X-XSS-Protection: report=URL header syntax in XSSAuditor.
+        https://bugs.webkit.org/show_bug.cgi?id=100892
+
+        Reviewed by Adam Barth.
+
+        This patch adds a security feature which allows a violation report to be sent back
+        to a site when the XSSAuditor detects a reflected XSS against it.  It uses the same
+        reporting mechanism as for CSP violation reports.
+
+        Tests: http/tests/security/xssAuditor/malformed-xss-protection-header-5.html
+               http/tests/security/xssAuditor/malformed-xss-protection-header-6.html
+               http/tests/security/xssAuditor/malformed-xss-protection-header-7.html
+               http/tests/security/xssAuditor/malformed-xss-protection-header-8.html
+               http/tests/security/xssAuditor/malformed-xss-protection-header-9.html
+               http/tests/security/xssAuditor/report-script-tag.html
+               http/tests/security/xssAuditor/xss-protection-parsing-03.html
+               http/tests/security/xssAuditor/xss-protection-parsing-04.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::XSSAuditor):
+        (WebCore::XSSAuditor::init):
+        (WebCore::XSSAuditor::filterToken):
+        Invoke Ping loader's violation reporting, if requested, when a reflected
+        XSS is detected.
+        
+        * html/parser/XSSAuditor.h:
+        XSSAuditor class need to store the report URL as well as the undigested versions
+        of the request URL and request body for reporting.
+
+        * loader/MixedContentChecker.cpp:
+        (WebCore):
+        * loader/MixedContentChecker.h:
+        (MixedContentChecker):
+        Make isMixedContent() method public.
+
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::sendViolationReport):
+        * loader/PingLoader.h:
+        (PingLoader):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation):
+        Renamed reportContentSecurityPolicyViolation() method to sendViolationReport(),
+        since this is now used to send more than just CSP violations.
+        
+        * platform/network/HTTPParsers.cpp:
+        (WebCore):
+        (WebCore::skipEquals):
+        (WebCore::skipValue):
+        (WebCore::parseXSSProtectionHeader):
+        * platform/network/HTTPParsers.h:
+        Parse and return report= directive in X-XSS-Protection header.
+        
 2012-11-02  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -33 +33 @@
 #include "Document.h"
 #include "DocumentLoader.h"
+#include "FormData.h"
+#include "FormDataList.h"
 #include "Frame.h"
 #include "FrameLoaderClient.h"
@@ -40 +42 @@
 #include "HTMLParamElement.h"
 #include "HTMLParserIdioms.h"
+#include "InspectorInstrumentation.h"
+#include "InspectorValues.h"
+#include "KURL.h"
+#include "PingLoader.h"
 #include "SecurityOrigin.h"
 #include "Settings.h"
@@ -168 +174 @@
     , m_shouldAllowCDATA(false)
     , m_scriptTagNestingLevel(0)
-    , m_notifiedClient(false)
+    , m_notifyClient(true)
 {
     ASSERT(m_parser);
@@ -215 +221 @@
         m_decodedURL = String();
 
+    String httpBodyAsString;
     if (DocumentLoader* documentLoader = m_parser->document()->frame()->loader()->documentLoader()) {
         DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, (ASCIILiteral("X-XSS-Protection")));
         String headerValue = documentLoader->response().httpHeaderField(XSSProtectionHeader);
         String errorDetails;
-        m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails);
+        unsigned errorPosition = 0;
+        String reportURL;
+        m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
+
+        if ((m_xssProtection == XSSProtectionEnabled || m_xssProtection == XSSProtectionBlockEnabled) && !reportURL.isEmpty()) {
+            m_reportURL = m_parser->document()->completeURL(reportURL);
+            if (MixedContentChecker::isMixedContent(m_parser->document()->securityOrigin(), m_reportURL)) {
+                errorDetails = "insecure reporting URL for secure page";
+                m_xssProtection = XSSProtectionInvalid;
+                m_reportURL = KURL();
+            }
+        }
+
         if (m_xssProtection == XSSProtectionInvalid) {
-            DEFINE_STATIC_LOCAL(String, consoleMessageStart, (ASCIILiteral("Error parsing header X-XSS-Protection: ")));
-            DEFINE_STATIC_LOCAL(String, consoleMessageSeparator, (ASCIILiteral(": ")));
-            DEFINE_STATIC_LOCAL(String, consoleMessageEnd, (ASCIILiteral(". The default protections will be applied.")));
-            m_parser->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessageStart + headerValue + consoleMessageSeparator + errorDetails + consoleMessageEnd);
+            m_parser->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
             m_xssProtection = XSSProtectionEnabled;
         }
@@ -230 +246 @@
         FormData* httpBody = documentLoader->originalRequest().httpBody();
         if (httpBody && !httpBody->isEmpty()) {
-            String httpBodyAsString = httpBody->flattenToString();
+            httpBodyAsString = httpBody->flattenToString();
             if (!httpBodyAsString.isEmpty()) {
                 m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, decoder);
@@ -241 +257 @@
     }
 
-    if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty())
+    if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty()) {
         m_isEnabled = false;
+        return;
+    }
+
+    if (!m_reportURL.isEmpty()) {
+        // May need these for reporting later on.
+        m_originalURL = url;
+        m_originalHTTPBody = httpBodyAsString;
+    }
 }
 
@@ -273 +297 @@
              m_parser->document()->frame()->loader()->stopAllLoaders();
 
-        if (!m_notifiedClient) {
+        if (m_notifyClient) {
             m_parser->document()->frame()->loader()->client()->didDetectXSS(m_parser->document()->url(), didBlockEntirePage);
-            m_notifiedClient = true;
+            m_notifyClient = false;
+        }
+
+        if (!m_reportURL.isEmpty()) {
+            RefPtr<InspectorObject> reportDetails = InspectorObject::create();
+            reportDetails->setString("request-url", m_originalURL);
+            reportDetails->setString("request-body", m_originalHTTPBody);
+
+            RefPtr<InspectorObject> reportObject = InspectorObject::create();
+            reportObject->setObject("xss-report", reportDetails.release());
+
+            RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8().data());
+            PingLoader::sendViolationReport(m_parser->document()->frame(), m_reportURL, report);
+
+            m_reportURL = KURL();
+            m_originalURL = String();
+            m_originalHTTPBody = String();
         }
 

trunk/Source/WebCore/html/parser/XSSAuditor.h

@@ -86 +86 @@
     XSSProtectionDisposition m_xssProtection;
 
+    String m_originalURL;
+    String m_originalHTTPBody;
     String m_decodedURL;
     String m_decodedHTTPBody;
@@ -94 +96 @@
     bool m_shouldAllowCDATA;
     unsigned m_scriptTagNestingLevel;
-    bool m_notifiedClient;
+    bool m_notifyClient;
+    KURL m_reportURL;
 };
 

trunk/Source/WebCore/loader/MixedContentChecker.cpp

@@ -58 +58 @@
 }
 
+// static
 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url)
 {

trunk/Source/WebCore/loader/MixedContentChecker.h

@@ -48 +48 @@
     bool canDisplayInsecureContent(SecurityOrigin*, const KURL&) const;
     bool canRunInsecureContent(SecurityOrigin*, const KURL&) const;
+    static bool isMixedContent(SecurityOrigin*, const KURL&);
 
 private:
@@ -53 +54 @@
     FrameLoaderClient* client() const;
 
-    static bool isMixedContent(SecurityOrigin*, const KURL&);
     void logWarning(bool allowed, const String& action, const KURL&) const;
 

trunk/Source/WebCore/loader/PingLoader.cpp

@@ -104 +104 @@
 }
 
-void PingLoader::reportContentSecurityPolicyViolation(Frame* frame, const KURL& reportURL, PassRefPtr<FormData> report)
+void PingLoader::sendViolationReport(Frame* frame, const KURL& reportURL, PassRefPtr<FormData> report)
 {
     ResourceRequest request(reportURL);

trunk/Source/WebCore/loader/PingLoader.h

@@ -57 +57 @@
     static void loadImage(Frame*, const KURL& url);
     static void sendPing(Frame*, const KURL& pingURL, const KURL& destinationURL);
-    static void reportContentSecurityPolicyViolation(Frame*, const KURL& reportURL, PassRefPtr<FormData> report);
+    static void sendViolationReport(Frame*, const KURL& reportURL, PassRefPtr<FormData> report);
 
     ~PingLoader();

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -1594 +1594 @@
 
     for (size_t i = 0; i < reportURIs.size(); ++i)
-        PingLoader::reportContentSecurityPolicyViolation(frame, reportURIs[i], report);
+        PingLoader::sendViolationReport(frame, reportURIs[i], report);
 }
 

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

@@ -82 +82 @@
 }
 
+// True if the expected equals sign is seen and there is more to follow.
+static inline bool skipEquals(const String& str, unsigned &pos)
+{
+    return skipWhiteSpace(str, pos, false) && str[pos++] == '=' && skipWhiteSpace(str, pos, false);
+}
+
+// True if a value present, incrementing pos to next space or semicolon, if any.  
+// Note: might return pos == str.length().
+static inline bool skipValue(const String& str, unsigned& pos)
+{
+    unsigned start = pos;
+    unsigned len = str.length();
+    while (pos < len) {
+        if (str[pos] == ' ' || str[pos] == '\t' || str[pos] == ';')
+            break;
+        ++pos;
+    }
+    return pos != start;
+}
+
 // See RFC 2616, Section 2.2.
 bool isRFC2616Token(const String& characters)
@@ -321 +341 @@
 }
 
-XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason)
-{
-    DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("first non-blank character must be 0 or 1")));
+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
+{
+    DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("expected 0 or 1")));
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidSeparator, (ASCIILiteral("expected semicolon")));
+    DEFINE_STATIC_LOCAL(String, failureReasonInvalidEquals, (ASCIILiteral("expected equals sign")));
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidMode, (ASCIILiteral("invalid mode directive")));
-    DEFINE_STATIC_LOCAL(String, failureReasonInvalidExtra, (ASCIILiteral("extra characters follow valid header")));
+    DEFINE_STATIC_LOCAL(String, failureReasonInvalidReport, (ASCIILiteral("invalid report directive")));
+    DEFINE_STATIC_LOCAL(String, failureReasonDuplicateMode, (ASCIILiteral("duplicate mode directive")));
+    DEFINE_STATIC_LOCAL(String, failureReasonDuplicateReport, (ASCIILiteral("duplicate report directive")));
+    DEFINE_STATIC_LOCAL(String, failureReasonInvalidDirective, (ASCIILiteral("unrecognized directive")));
 
     unsigned pos = 0;
@@ -341 +365 @@
     }
 
-    if (!skipWhiteSpace(header, pos, false))
-        return XSSProtectionEnabled;
-
-    if (header[pos++] != ';') {
-        failureReason = failureReasonInvalidSeparator;
-        return XSSProtectionInvalid;
-    }
-
-    if (!skipWhiteSpace(header, pos, false))
-        return XSSProtectionEnabled;
-
-    if (!(skipToken(header, pos, "mode")
-        && skipWhiteSpace(header, pos, false)
-        && header[pos++] == '='
-        && skipWhiteSpace(header, pos, false)
-        && skipToken(header, pos, "block"))) {
-        failureReason = failureReasonInvalidMode;
-        return XSSProtectionInvalid;
-    }
-
-    if (skipWhiteSpace(header, pos, false)) {
-        failureReason = failureReasonInvalidExtra;
-        return XSSProtectionInvalid;
-    }
-
-    return XSSProtectionBlockEnabled;
+    XSSProtectionDisposition result = XSSProtectionEnabled;
+    bool modeDirectiveSeen = false;
+    bool reportDirectiveSeen = false;
+
+    while (1) {
+        // At end of previous directive: consume whitespace, semicolon, and whitespace.
+        if (!skipWhiteSpace(header, pos, false))
+            return result;
+
+        if (header[pos++] != ';') {
+            failureReason = failureReasonInvalidSeparator;
+            failurePosition = pos;
+            return XSSProtectionInvalid;
+        }
+
+        if (!skipWhiteSpace(header, pos, false))
+            return result;
+
+        // At start of next directive.
+        if (skipToken(header, pos, "mode")) {
+            if (modeDirectiveSeen) {
+                failureReason = failureReasonDuplicateMode;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            modeDirectiveSeen = true;
+            if (!skipEquals(header, pos)) {
+                failureReason = failureReasonInvalidEquals;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            if (!skipToken(header, pos, "block")) {
+                failureReason = failureReasonInvalidMode;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            result = XSSProtectionBlockEnabled;
+        } else if (skipToken(header, pos, "report")) {
+            if (reportDirectiveSeen) {
+                failureReason = failureReasonDuplicateReport;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            reportDirectiveSeen = true;
+            if (!skipEquals(header, pos)) {
+                failureReason = failureReasonInvalidEquals;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            size_t startPos = pos;
+            if (!skipValue(header, pos)) {
+                failureReason = failureReasonInvalidReport;
+                failurePosition = pos;
+                return XSSProtectionInvalid;
+            }
+            reportURL = header.substring(startPos, pos - startPos);
+            failurePosition = startPos; // If later semantic check deems unacceptable.
+        } else {
+            failureReason = failureReasonInvalidDirective;
+            failurePosition = pos;
+            return XSSProtectionInvalid;
+        }
+    }
 }
 

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -62 +62 @@
 String extractCharsetFromMediaType(const String&); 
 void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0);
-XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason);
+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
 String extractReasonPhraseFromHTTPStatusLine(const String&);