Bug 153162

Summary:	CSP: Deduplicate violation reports before sending
Product:	WebKit	Reporter:	Daniel Bates <dbates>
Component:	WebCore Misc.	Assignee:	Daniel Bates <dbates>
Status:	NEW ---
Severity:	Normal	CC:	bfulgham, scotthelme, webkit-bug-importer
Priority:	P2	Keywords:	BlinkMergeCandidate, InRadar
Version:	WebKit Local Build
Hardware:	All
OS:	All

Description Daniel Bates 2016-01-15 15:18:06 PST

We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155708>.

CSP: Deduplicate violation reports before sending.

Violation reports should be sent once and only once per page load. If a
single line of code generates the same report over and over again, we
should attempt to avoid spamming the report server with not-particularly
valuable duplicates.

For example, if a report-only policy blocks 'eval()', then the following
loop would make a sysadmin somewhere quite unhappy:

    for (i=0;i<Number.MAX_VALUE;i++)
      eval(...);

This patch adds a HashSet<unsigned> to ContentSecurityPolicy, and stores
the hash of the stringified violation report. We check that set just
before handing things off to PingLoader for delivery. If there's a
match, we've already sent the report, and can safely discard it. If not
we send the report, then add it to the list.

Discussed on public-webappsec@w3.org: http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0000.html

Comment 1 Radar WebKit Bug Importer 2016-01-27 20:53:32 PST

<rdar://problem/24383316>