Bug 185364

Summary: CSP should only notify Inspector to pause the debugger on the first policy to violate a directive
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, joepeck, mkwst, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Daniel Bates 2018-05-06 12:33:33 PDT
It seems sufficient to tell Web Inspector that a script was blocked once for the first enforced CSP policy that it violated. Currently we tell Web Inspector that a script was blocked for each enforced CSP policy that it violated. When Web Inspector is notified of a CSP blocked script it pauses script execution. It does not seem very meaningful from a developer's perspective to have Web Inspector pause script execution for the same script because it violated more than one enforced CSP policy. Pausing once with the CSP violation text should provide enough insight for a developer to check all their CSP policies.

For completeness, a page can have more than one Content Security Policy if either its HTTP response has more than one Content-Security-Policy HTTP header or it has multiple <meta http-equiv="Content-Security-Policy"> elements (or both).
Comment 1 Daniel Bates 2018-05-06 12:39:52 PDT
Created attachment 339689 [details]
Patch
Comment 2 Brent Fulgham 2018-05-06 13:16:51 PDT
Comment on attachment 339689 [details]
Patch

Good idea! r=me
Comment 3 Daniel Bates 2018-05-07 10:41:55 PDT
Comment on attachment 339689 [details]
Patch

Clearing flags on attachment: 339689

Committed r231443: <https://trac.webkit.org/changeset/231443>
Comment 4 Daniel Bates 2018-05-07 10:41:57 PDT
All reviewed patches have been landed.  Closing bug.
Comment 5 Radar WebKit Bug Importer 2018-05-07 10:43:01 PDT
<rdar://problem/40027826>