Bug 115702
| Summary: | CSP: Suppress stored credentials when sending cross-origin violation reports. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> |
| Component: | Page Loading | Assignee: | Daniel Bates <dbates> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | achristensen, ap, beidson, bfulgham, dbates, webkit-bug-importer |
| Priority: | P2 | Keywords: | BlinkMergeCandidate, InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Ryosuke Niwa
We should consider merging
https://chromium.googlesource.com/chromium/blink/+/d2b1d6072cc7c5bf6de86cf3b834228e754b05b1
CSP: Suppress stored credentials when sending cross-origin violation reports.
The spec recently changed to mandate that cross-origin violation reports be POSTed
without cookies[1]. This patch changes PingLoader::PingLoader to accept a
StoredCredentials argument, and ensures that PingLoader::sendViolationReport sets
it correctly based on the origins of the protected resource and the reporting endpoint.
Two tests are included, which required the addition of CORS headers to
http/tests/cookies/resources/setCookies.cgi in order to synchronously set cookies
cross-origin via XHR. Additionally, the reporting endpoint was updated to write the
cookie header into the output, and then clear any set cookies so as not to leak into
other tests.
[1]: https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/24383107>
Daniel Bates
This was fixed in the patch for bug #146754.