Bug 192857

Summary:

CSP violation reports should bypass CSP checks

Product:

WebKit

Reporter:

1625258476

Component:

New Bugs

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

1625258476, bfulgham, cdumez, commit-queue, dbates, ews-watchlist, japhet, mkwst, rniwa, scotthelme, tsavell, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Mac

OS:

macOS 10.14

See Also:

https://bugs.webkit.org/show_bug.cgi?id=193178

Attachments:

Description	Flags
Screenshot of issue in Safari	none
Patch	none
Archive of layout-test-results from ews122 for ios-simulator-wk2	none
Patch	none
Archive of layout-test-results from ews100 for mac-sierra	none
Patch for landing	none

1625258476

Reported 2018-12-19 09:26:03 PST

In Safari and Safari Technology Preview up to and including Release 71 (Safari 12.1, WebKit 14607.1.15), it is necessary to whitelist a CSP Reporting Endpoint for the reports to be sent, when “default-src” is set to “none”. The console states "Failed to load resource: Blocked by Content Security Policy.” and the Network Tab shows that ping requests to the CSP Reporting Endpoint have been blocked. It should not be necessary to manually whitelist the CSP Reporting Endpoint. Furthermore, doing so using the "connect-src” directive whitelists a lot of undesirable connection types in addition to what is required to submit CSP violation reports — Fetch, XMLHttpRequest, WebSocket, and EventSource. No other major browser appears to behave in this way. This will fail: > default-src 'none'; report-uri https://example.com/endpoint; style-src 'self'; This will work: > connect-src https://example.com/endpoint:443; default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';

Attachments
Screenshot of issue in Safari (169.12 KB, image/png) 2018-12-19 10:40 PST, Scott Helme	no flags	Details
Patch (19.18 KB, patch) 2019-01-03 20:44 PST, youenn fablet	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews122 for ios-simulator-wk2 (2.46 MB, application/zip) 2019-01-03 22:40 PST, EWS Watchlist	no flags	Details
Patch (19.41 KB, patch) 2019-01-04 09:00 PST, youenn fablet	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews100 for mac-sierra (2.68 MB, application/zip) 2019-01-04 10:04 PST, EWS Watchlist	no flags	Details
Patch for landing (19.49 KB, patch) 2019-01-04 10:17 PST, youenn fablet	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

1625258476

Comment 1 2018-12-19 09:53:02 PST

Just for reference, this bug also exists in Safari Technology Preview Release 72 (Safari 12.1, WebKit 14607.1.17.1), which was released half an hour after it was filed.

Scott Helme

Comment 2 2018-12-19 10:40:28 PST

Created attachment 357693 [details] Screenshot of issue in Safari

Scott Helme

Comment 3 2018-12-19 10:44:26 PST

Hey everyone, Just dropping by to say I can repro this in latest Safari, screenshot attached. This behaviour is not present in latest Edge, Chrome or Firefox. If you want a test page for this issue you can try: https://scotthelme.co.uk/csp-demo/ I run Report URI (https://report-uri.com) and we process billions of reports per month for our customers. Advising them to open up a connect-src to us really isn't something we want to do. I feel it'd be a lot better if they didn't need to whitelist us at all and CSP reports were sent outside of the requirement to whitelisted in the CSP as they are in other browsers. This is also somewhat problematic because if the CSP endpoint is required to be whitelisted in the connect-src (or default-src) then violating it and blocking the request, which it does, should cause a CSP report to be sent, which it doesn't! Cheers, Scott.

Radar WebKit Bug Importer

Comment 4 2018-12-20 16:25:22 PST

<rdar://problem/46887236>

youenn fablet

Comment 5 2019-01-03 17:40:22 PST

When adding better support for ping load checks in network process for fetch keep alive, we added these checks for all ping loads, probably including CSP reports.

youenn fablet

Comment 6 2019-01-03 20:44:37 PST

Created attachment 358305 [details] Patch

EWS Watchlist

Comment 7 2019-01-03 22:40:48 PST

Comment on attachment 358305 [details] Patch Attachment 358305 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/10624158 New failing tests: imported/w3c/web-platform-tests/webrtc/simplecall.https.html

EWS Watchlist

Comment 8 2019-01-03 22:40:50 PST

Created attachment 358310 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6

youenn fablet

Comment 9 2019-01-04 09:00:10 PST

Created attachment 358322 [details] Patch

Chris Dumez

Comment 10 2019-01-04 09:51:21 PST

Comment on attachment 358322 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358322&action=review > Source/WebCore/loader/PingLoader.h:50 > +enum class ContentSecurityPolicyImposition : uint8_t; Extra space. > LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt:3 > +PASS Untitled May be nicer with a title.

EWS Watchlist

Comment 11 2019-01-04 10:04:04 PST

Comment on attachment 358322 [details] Patch Attachment 358322 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10628875 New failing tests: http/wpt/css/css-animations/start-animation-001.html

EWS Watchlist

Comment 12 2019-01-04 10:04:06 PST

Created attachment 358328 [details] Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6

youenn fablet

Comment 13 2019-01-04 10:17:16 PST

Created attachment 358330 [details] Patch for landing

WebKit Commit Bot

Comment 14 2019-01-04 11:45:33 PST

Comment on attachment 358330 [details] Patch for landing Rejecting attachment 358330 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 358330, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as commit-queue@webkit.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=358330&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=192857&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 358330 from bug 192857. Fetching: https://bugs.webkit.org/attachment.cgi?id=358330 Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource Current branch master is up to date. Full output: https://webkit-queues.webkit.org/results/10630810

WebKit Commit Bot

Comment 15 2019-01-04 13:22:40 PST

Comment on attachment 358330 [details] Patch for landing Clearing flags on attachment: 358330 Committed r239634: <https://trac.webkit.org/changeset/239634>

WebKit Commit Bot

Comment 16 2019-01-04 13:22:42 PST

All reviewed patches have been landed. Closing bug.

Truitt Savell

Comment 17 2019-01-04 16:43:26 PST

The test http/wpt/fetch/csp-reports-bypass-csp-checks.html added in https://trac.webkit.org/changeset/239634/webkit is flakey. History: https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Fwpt%2Ffetch%2Fcsp-reports-bypass-csp-checks.html

Note You need to log in before you can comment on or make changes to this bug.