Changeset 196664 in webkit
- Timestamp:
- Feb 16, 2016 3:22:19 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r196662 r196664 1 2016-02-16 Daniel Bates <dabates@apple.com> 2 3 CSP: Update violation report 'Content-Type' header 4 https://bugs.webkit.org/show_bug.cgi?id=153166 5 <rdar://problem/24383327> 6 7 Reviewed by Brent Fulgham. 8 9 Update expected results now that we post the Content Security Policy violation report with 10 Content-Type application/csp-report. 11 12 * TestExpectations: Update associated bugs for entries that still fail. 13 * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: 14 * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: 15 * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: 16 * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: 17 * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Fix up HTTP_REFERER and csp-report 18 to reflect the correct value for HTTP_REFERER and the correct values for the report-uri and document-uri keys in the CSP 19 report JSON object. 20 1 21 2016-02-16 Ryan Haddad <ryanhaddad@apple.com> 2 22 -
trunk/LayoutTests/TestExpectations
r196655 r196664 800 800 webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html 801 801 webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ] 802 webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]803 webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html [ Failure ]802 webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ] 803 webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html [ Failure ] 804 804 webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html [ Failure ] 805 805 webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html … … 821 821 webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ] 822 822 webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ] 823 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]824 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]825 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html [ Failure ]826 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html [ Failure ]827 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-blocked-uri.html [ Failure ]828 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-only-from-header.php [ Failure ]829 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-only.html [ Failure ]830 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html [ Failure ]831 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.html [ Failure ]832 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-uri-from-javascript.html [ Failure ]833 webkit.org/b/153 166http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ]834 webkit.org/b/153 166 webkit.org/b/153242http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]835 webkit.org/b/153 166 webkit.org/b/153242http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]823 webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ] 824 webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ] 825 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html [ Failure ] 826 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html [ Failure ] 827 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri.html [ Failure ] 828 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only-from-header.php [ Failure ] 829 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only.html [ Failure ] 830 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html [ Failure ] 831 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.html [ Failure ] 832 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-javascript.html [ Failure ] 833 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ] 834 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ] 835 webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ] 836 836 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ] 837 837 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt
r186663 r196664 1 1 CSP report received: 2 CONTENT_TYPE: application/ json2 CONTENT_TYPE: application/csp-report 3 3 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html 4 4 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt
r186663 r196664 1 1 CSP report received: 2 CONTENT_TYPE: application/ json2 CONTENT_TYPE: application/csp-report 3 3 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html 4 4 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt
r186663 r196664 1 1 CSP report received: 2 CONTENT_TYPE: application/ json2 CONTENT_TYPE: application/csp-report 3 3 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html 4 4 REQUEST_METHOD: POST -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt
r186663 r196664 1 1 CSP report received: 2 CONTENT_TYPE: application/ json2 CONTENT_TYPE: application/csp-report 3 3 HTTP_COOKIE: hello=world 4 4 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
r195367 r196664 8 8 CSP report received: 9 9 CONTENT_TYPE: application/csp-report 10 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report. html10 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html 11 11 REQUEST_METHOD: POST 12 12 === POST DATA === 13 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report. html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=generate-csp-report.html","blocked-uri":"","status-code":200}}13 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"","status-code":200}} -
trunk/Source/WebCore/ChangeLog
r196656 r196664 1 2016-02-16 Daniel Bates <dabates@apple.com> 2 3 CSP: Update violation report 'Content-Type' header 4 https://bugs.webkit.org/show_bug.cgi?id=153166 5 <rdar://problem/24383327> 6 7 Reviewed by Brent Fulgham. 8 9 Inspired by Blink patch: 10 <https://src.chromium.org/viewvc/blink?view=rev&revision=154215> 11 12 Post the Content Security Policy violation report with Content-Type application/csp-report as 13 per section Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>. 14 15 Currently we post CSP violation reports with Content-Type application/json. 16 17 * html/parser/XSSAuditorDelegate.cpp: 18 (WebCore::XSSAuditorDelegate::didBlockScript): Use report type ViolationReportType::XSSAuditor to PingLoader. 19 * loader/PingLoader.cpp: 20 (WebCore::PingLoader::sendViolationReport): Modified to take argument of type ViolationReportType 21 to determine the appropriate Content-Type header to use for the report. For a XSS Auditor violation report 22 we use Content-Type application/json. For a Content Security Policy violation report we use Content-Type 23 application/csp-report. Additionally, pass a ASCIILiteral() to ResourceRequestBase::setHTTPMethod() 24 as opposed to a constant string literal to avoid a copy of a constant string literal. 25 * loader/PingLoader.h: Add enum class ViolationReportType. 26 * page/csp/ContentSecurityPolicy.cpp: 27 (WebCore::ContentSecurityPolicy::reportViolation): Use report type ViolationReportType::ContentSecurityPolicy. 28 1 29 2016-02-16 Alex Christensen <achristensen@webkit.org> 2 30 -
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp
r194927 r196664 109 109 110 110 if (!m_reportURL.isEmpty()) 111 PingLoader::sendViolationReport(*m_document.frame(), m_reportURL, generateViolationReport(xssInfo) );111 PingLoader::sendViolationReport(*m_document.frame(), m_reportURL, generateViolationReport(xssInfo), ViolationReportType::XSSAuditor); 112 112 } 113 113 -
trunk/Source/WebCore/loader/PingLoader.cpp
r195450 r196664 124 124 } 125 125 126 void PingLoader::sendViolationReport(Frame& frame, const URL& reportURL, RefPtr<FormData>&& report )126 void PingLoader::sendViolationReport(Frame& frame, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType reportType) 127 127 { 128 128 ResourceRequest request(reportURL); … … 133 133 #endif 134 134 135 request.setHTTPMethod("POST"); 136 request.setHTTPContentType("application/json"); 135 request.setHTTPMethod(ASCIILiteral("POST")); 137 136 request.setHTTPBody(WTFMove(report)); 137 switch (reportType) { 138 case ViolationReportType::ContentSecurityPolicy: 139 request.setHTTPContentType(ASCIILiteral("application/csp-report")); 140 break; 141 case ViolationReportType::XSSAuditor: 142 request.setHTTPContentType(ASCIILiteral("application/json")); 143 break; 144 } 138 145 139 146 bool removeCookies = true; -
trunk/Source/WebCore/loader/PingLoader.h
r195450 r196664 42 42 class ResourceRequest; 43 43 44 enum class ViolationReportType { 45 ContentSecurityPolicy, 46 XSSAuditor, 47 }; 48 44 49 class PingLoader { 45 50 public: 46 51 static void loadImage(Frame&, const URL&); 47 52 static void sendPing(Frame&, const URL& pingURL, const URL& destinationURL); 48 static void sendViolationReport(Frame&, const URL& reportURL, RefPtr<FormData>&& report );53 static void sendViolationReport(Frame&, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType); 49 54 50 55 private: -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r196582 r196664 405 405 406 406 for (const auto& url : reportURIs) 407 PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef() );407 PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy); 408 408 } 409 409
Note: See TracChangeset
for help on using the changeset viewer.