Bug 159830

Summary:	CSP: Report nonce violations in report-only polices
Product:	WebKit	Reporter:	Daniel Bates <dbates>
Component:	WebCore Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	bfulgham, wilander
Priority:	P2
Version:	WebKit Local Build
Hardware:	All
OS:	All
Bug Depends on:	159841
Bug Blocks:

Daniel Bates

Reported 2016-07-15 13:54:34 PDT

We should send a CSP violation report and log a console message when there is a nonce violation in a report-only policy.

Attachments
Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2016-07-15 15:03:21 PDT

(In reply to comment #0) > We should send a CSP violation report and log a console message when there > is a nonce violation in a report-only policy. Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example: ... Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce' Content-Security-Policy: script-src 'nonce-A' ... <html> <body> <script nonce="A">...</script> </body> </html> This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.

Note You need to log in before you can comment on or make changes to this bug.