Skip to content
Find file Blame History Permalink
  • abarth@webkit.org's avatar
    2011-04-21 Adam Barth <abarth@webkit.org> · d4876fba
    abarth@webkit.org authored 
            Reviewed by Eric Seidel.

        CSP report-uri is missing
        https://bugs.webkit.org/show_bug.cgi?id=58639

        Test that report-uri sends a report.  Testing approach stolen from the
        ping tests.

        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/report-uri.html: Added.
        * http/tests/security/contentSecurityPolicy/resources/echo-report.php: Added.
        * http/tests/security/contentSecurityPolicy/resources/go-to-echo-report.js: Added.
        * http/tests/security/contentSecurityPolicy/resources/save-report.php: Added.
2011-04-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP report-uri is missing
        https://bugs.webkit.org/show_bug.cgi?id=58639

        Our implementation of report-uri differs from what's currently in the
        spec.  I sent the working group an email explaining why.  Generally,
        we're using normal form encoding instead of JSON and we're sending less
        information to a wider set of URLs.  Specifically, we send the current
        document's URL as well as the directive that was violated.  The spec
        (currently) tells us to send the raw HTTP headers and the URL that
        caused the violation, but both of these pieces of data could contain
        information that's sensitive, so we omit them for now.

        Test: http/tests/security/contentSecurityPolicy/report-uri.html

        * loader/PingLoader.cpp:
        (WebCore::PingLoader::reportContentSecurityPolicyViolation):
        * loader/PingLoader.h:
        * page/ContentSecurityPolicy.cpp:
        (WebCore::CSPDirective::CSPDirective):
        (WebCore::CSPDirective::text):
        (WebCore::ContentSecurityPolicy::reportViolation):
        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
        (WebCore::ContentSecurityPolicy::allowInlineScript):
        (WebCore::ContentSecurityPolicy::allowEval):
        (WebCore::ContentSecurityPolicy::allowScriptFromSource):
        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
        (WebCore::ContentSecurityPolicy::allowImageFromSource):
        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
        (WebCore::ContentSecurityPolicy::allowFontFromSource):
        (WebCore::ContentSecurityPolicy::allowMediaFromSource):
        (WebCore::ContentSecurityPolicy::parseReportURI):
        (WebCore::ContentSecurityPolicy::addDirective):
        * page/ContentSecurityPolicy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@84478 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    d4876fba