Bug 154307

Summary: CSP: report-url directive should be ignored when contained in a policy defined via a meta element
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, mikispag, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 154299    
Bug Blocks: 154288    
Attachments:
Description Flags
Patch
none
Patch and Layout Test bfulgham: review+

Daniel Bates
Reported 2016-02-16 14:21:17 PST
The Content Security Policy report-uri directive should only be honored when defined in a policy via a HTTP header as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/#directive-report-uri>: [[ Note: The report-uri directive will be ignored if contained within a meta element. ]] Currently we honor the report-uri directive when defined in a policy delivered via the HTML meta element or HTTP header.
Attachments
Patch (74.55 KB, patch)
2016-02-17 19:46 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Test (75.78 KB, patch)
2016-02-18 12:22 PST, Daniel Bates 		bfulgham: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-02-16 14:22:30 PST
<rdar://problem/24684817>
Daniel Bates
Comment 2 2016-02-17 19:46:18 PST
Created attachment 271618 [details] Patch
Daniel Bates
Comment 3 2016-02-18 12:22:38 PST
Created attachment 271681 [details] Patch and Layout Test Updated patch to fix syntax error in file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php and to remove file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (not used since <http://trac.webkit.org/changeset/176413>). This patch will fail to apply because it depends on changes to file LayoutTests/TestExpectations made in the patch for bug #154299.
Brent Fulgham
Comment 4 2016-02-18 17:41:38 PST
Comment on attachment 271681 [details] Patch and Layout Test View in context: https://bugs.webkit.org/attachment.cgi?id=271681&action=review r=me. > Source/WebCore/ChangeLog:14 > + via a HTTP header and log a message to the Web Inspector console to explain that the directive I think this should all read "... an HTTP" or "... an HTML".
Daniel Bates
Comment 5 2016-02-21 11:04:15 PST
Committed r196875: <http://trac.webkit.org/changeset/196875>
Daniel Bates
Comment 6 2016-02-21 17:33:44 PST
Committed fixes for Content Extension test failures in <https://trac.webkit.org/changeset/196878> and <https://trac.webkit.org/changeset/196879>.
Daniel Bates
Comment 7 2016-06-01 20:18:44 PDT
*** Bug 158263 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.