153162 2016-01-15 15:18:06 -0800 CSP: Deduplicate violation reports before sending 2016-03-16 09:56:50 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All NEW BlinkMergeCandidate, InRadar P2 Normal --- 1 dbates dbates bfulgham webkit-bug-importer webkit oldest_to_newest 1155988 0 dbates 2016-01-15 15:18:06 -0800 We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155708>. CSP: Deduplicate violation reports before sending. Violation reports should be sent once and only once per page load. If a single line of code generates the same report over and over again, we should attempt to avoid spamming the report server with not-particularly valuable duplicates. For example, if a report-only policy blocks 'eval()', then the following loop would make a sysadmin somewhere quite unhappy: for (i=0;i<Number.MAX_VALUE;i++) eval(...); This patch adds a HashSet<unsigned> to ContentSecurityPolicy, and stores the hash of the stringified violation report. We check that set just before handing things off to PingLoader for delivery. If there's a match, we've already sent the report, and can safely discard it. If not we send the report, then add it to the list. Discussed on public-webappsec@w3.org: http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0000.html 1159617 1 webkit-bug-importer 2016-01-27 20:53:32 -0800 <rdar://problem/24383316>