Changeset 146137 in webkit

Timestamp:

Mar 18, 2013 3:47:00 PM (11 years ago)

Author:

mkwst@chromium.org

Message:

CSP 1.1: Add 'effective-directive' to violation reports.
​https://bugs.webkit.org/show_bug.cgi?id=112568

Reviewed by Adam Barth.

Source/WebCore:

​https://dvcs.w3.org/hg/content-security-policy/rev/bc2bb0e5072a
introduced an 'effective-directive' field on CSP violation reports,
which allows developers to distinguish between resource types when
'default-src' is the violated directive.

This patch implements the new field behind the CSP_NEXT flag.

Test: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::checkSourceAndReportViolation):
(WebCore::CSPDirectiveList::reportViolation):

These methods now accept an additional parameter to pipe the
effective directive from the initial callsite down into
ContentSecurityPolicy::reportViolation.

(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::checkNonceAndReportViolation):
(WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::allowScriptFromSource):
(WebCore::CSPDirectiveList::allowObjectFromSource):
(WebCore::CSPDirectiveList::allowChildFrameFromSource):
(WebCore::CSPDirectiveList::allowImageFromSource):
(WebCore::CSPDirectiveList::allowStyleFromSource):
(WebCore::CSPDirectiveList::allowFontFromSource):
(WebCore::CSPDirectiveList::allowMediaFromSource):
(WebCore::CSPDirectiveList::allowConnectToSource):
(WebCore::CSPDirectiveList::allowFormAction):

These methods now pass the effective directive name down
into checkSourceAndReportViolation or reportViolation.

(WebCore::ContentSecurityPolicy::reportViolation):

• page/ContentSecurityPolicy.h:

This method now accepts a new parameter that carries
the effective directive name. If CSP_NEXT is enabled,
the field is added to the violation report before it's
sent out into the world.

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html: Added.

A new test that ensures that 'default-src' doesn't show up in the
effective directive field, even if it's the directive that was
actually violated.

• platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.

This patch changes the output of violation reports for ports that
have enabled CSP_NEXT. At the moment, I think that's Chromium and
GTK only.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (21 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-18  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Add 'effective-directive' to violation reports.
+        https://bugs.webkit.org/show_bug.cgi?id=112568
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html: Added.
+            A new test that ensures that 'default-src' doesn't show up in the
+            effective directive field, even if it's the directive that was
+            actually violated.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.
+            This patch changes the output of violation reports for ports that
+            have enabled CSP_NEXT. At the moment, I think that's Chromium and
+            GTK only.
+
 2013-03-18  Kenneth Russell  <kbr@google.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-18  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Add 'effective-directive' to violation reports.
+        https://bugs.webkit.org/show_bug.cgi?id=112568
+
+        Reviewed by Adam Barth.
+
+        https://dvcs.w3.org/hg/content-security-policy/rev/bc2bb0e5072a
+        introduced an 'effective-directive' field on CSP violation reports,
+        which allows developers to distinguish between resource types when
+        'default-src' is the violated directive.
+
+        This patch implements the new field behind the CSP_NEXT flag.
+
+        Test: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
+        (WebCore::CSPDirectiveList::reportViolation):
+            These methods now accept an additional parameter to pipe the
+            effective directive from the initial callsite down into
+            ContentSecurityPolicy::reportViolation.
+        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+        (WebCore::CSPDirectiveList::checkNonceAndReportViolation):
+        (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
+        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+        (WebCore::CSPDirectiveList::allowScriptFromSource):
+        (WebCore::CSPDirectiveList::allowObjectFromSource):
+        (WebCore::CSPDirectiveList::allowChildFrameFromSource):
+        (WebCore::CSPDirectiveList::allowImageFromSource):
+        (WebCore::CSPDirectiveList::allowStyleFromSource):
+        (WebCore::CSPDirectiveList::allowFontFromSource):
+        (WebCore::CSPDirectiveList::allowMediaFromSource):
+        (WebCore::CSPDirectiveList::allowConnectToSource):
+        (WebCore::CSPDirectiveList::allowFormAction):
+            These methods now pass the effective directive name down
+            into checkSourceAndReportViolation or reportViolation.
+        (WebCore::ContentSecurityPolicy::reportViolation):
+        * page/ContentSecurityPolicy.h:
+            This method now accepts a new parameter that carries
+            the effective directive name. If CSP_NEXT is enabled,
+            the field is added to the violation report before it's
+            sent out into the world.
+
 2013-03-18  W. James MacLean  <wjmaclean@chromium.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -117 +117 @@
 static const char scriptSrc[] = "script-src";
 static const char styleSrc[] = "style-src";
-#if ENABLE(CSP_NEXT)
 static const char formAction[] = "form-action";
 static const char pluginTypes[] = "plugin-types";
 static const char scriptNonce[] = "script-nonce";
 static const char reflectedXSS[] = "reflected-xss";
-#endif
 
 bool isDirectiveName(const String& name)
@@ -863 +861 @@
 
     SourceListDirective* operativeDirective(SourceListDirective*) const;
-    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
+    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
 
     bool checkEval(SourceListDirective*) const;
@@ -877 +875 @@
     bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
 
-    bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type) const;
+    bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type, const String& effectiveDirective) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
 
@@ -935 +933 @@
 }
 
-void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
+void CSPDirectiveList::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
 {
     String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
-    m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
+    m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
 }
 
@@ -984 +982 @@
         suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.";
 
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state);
+    reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state);
     if (!m_reportOnly) {
         m_policy->reportBlockedScriptExecutionToInspector(directive->text());
@@ -996 +994 @@
     if (checkNonce(directive, nonce))
         return true;
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
+    reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
     return denyIfEnforcingPolicy();
 }
@@ -1009 +1007 @@
         message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').";
 
-    reportViolation(directive->text(), message + "\n", KURL());
+    reportViolation(directive->text(), pluginTypes, message + "\n", KURL());
     return denyIfEnforcingPolicy();
 }
@@ -1022 +1020 @@
         suffix = makeString(" Note that '", (isScript ? "script" : "style"), "-src' was not explicitly set, so 'default-src' is used as a fallback.");
 
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);
+    reportViolation(directive->text(), isScript ? scriptSrc : styleSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);
 
     if (!m_reportOnly) {
@@ -1032 +1030 @@
 }
 
-bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& type) const
+bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& type, const String& effectiveDirective) const
 {
     if (checkSource(directive, url))
@@ -1045 +1043 @@
     String suffix = String();
     if (directive == m_defaultSrc)
-        suffix = " Note that '" + type + "-src' was not explicitly set, so 'default-src' is used as a fallback.";
-
-    reportViolation(directive->text(), prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);
+        suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback.";
+
+    reportViolation(directive->text(), effectiveDirective, prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);
     return denyIfEnforcingPolicy();
 }
@@ -1118 +1116 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("script")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type, scriptSrc) :
         checkSource(operativeDirective(m_scriptSrc.get()), url);
 }
@@ -1128 +1126 @@
         return true;
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type, objectSrc) :
         checkSource(operativeDirective(m_objectSrc.get()), url);
 }
@@ -1138 +1136 @@
         return true;
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type, frameSrc) :
         checkSource(operativeDirective(m_frameSrc.get()), url);
 }
@@ -1146 +1144 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("image")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type, imgSrc) :
         checkSource(operativeDirective(m_imgSrc.get()), url);
 }
@@ -1154 +1152 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("style")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type, styleSrc) :
         checkSource(operativeDirective(m_styleSrc.get()), url);
 }
@@ -1162 +1160 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("font")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type, fontSrc) :
         checkSource(operativeDirective(m_fontSrc.get()), url);
 }
@@ -1170 +1168 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("media")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type, mediaSrc) :
         checkSource(operativeDirective(m_mediaSrc.get()), url);
 }
@@ -1178 +1176 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("connect")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type) :
+        checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type, connectSrc) :
         checkSource(operativeDirective(m_connectSrc.get()), url);
 }
@@ -1192 +1190 @@
     DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("form")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
-        checkSourceAndReportViolation(m_formAction.get(), url, type) :
+        checkSourceAndReportViolation(m_formAction.get(), url, type, formAction) :
         checkSource(m_formAction.get(), url);
 }
@@ -1666 +1664 @@
 }
 
-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
+void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
 {
     logToConsole(consoleMessage, contextURL, contextLine, state);
@@ -1698 +1696 @@
     if (!directiveText.isEmpty())
         cspReport->setString("violated-directive", directiveText);
+#if ENABLE(CSP_NEXT)
+    if (!effectiveDirective.isEmpty() && experimentalFeaturesEnabled())
+        cspReport->setString("effective-directive", effectiveDirective);
+#else
+    UNUSED_PARAM(effectiveDirective);
+#endif
     cspReport->setString("original-policy", header);
     if (blockedURL.isValid())

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -124 +124 @@
     void reportMissingReportURI(const String&) const;
     void reportUnsupportedDirective(const String&) const;
-    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
+    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
 
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;