Bug 159830
| Summary: | CSP: Report nonce violations in report-only polices | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel Bates <dbates> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | bfulgham, wilander |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | 159841 | ||
| Bug Blocks: | |||
Daniel Bates
We should send a CSP violation report and log a console message when there is a nonce violation in a report-only policy.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Daniel Bates
(In reply to comment #0)
> We should send a CSP violation report and log a console message when there
> is a nonce violation in a report-only policy.
Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example:
...
Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce'
Content-Security-Policy: script-src 'nonce-A'
...
<html>
<body>
<script nonce="A">...</script>
</body>
</html>
This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.