Bug 194392

Summary: Service Worker should see CSP violation reports
Product: WebKit Reporter: cvazac
Component: Service WorkersAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ben, cdumez, dbates, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari 12   
Hardware: Unspecified   
OS: Unspecified   

cvazac
Reported 2019-02-07 08:15:52 PST
Step 3.4.2.3 here[0] omits the `service-workers mode`[1] enum, which defaults to `"all"`. This means that Service-Worker *should* get fetch events for CSP violations reports[2]. You can see a demo here[3]. When it's working, you will see this in the document: Caught POST for https://84daacff2fb387fdf02f89b0fce73ef3.report-uri.com/r/d/csp/enforce) {"csp-report":{"document-uri":"https://vaz.ac/dev/csp/sw/index.html","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src-elem","original-policy":"default-src 'self' 'unsafe-inline'; report-uri https://84daacff2fb387fdf02f89b0fce73ef3.report-uri.com/r/d/csp/enforce","disposition":"enforce","blocked-uri":"https://ak.vaz.ac/dev/csp/sw/index.js","line-number":23,"column-number":23,"source-file":"https://vaz.ac/dev/csp/sw/index.html","status-code":0,"script-sample":""}} [0] https://w3c.github.io/webappsec-csp/#report-violation [1] https://fetch.spec.whatwg.org/#request-service-workers-mode [2] https://github.com/w3c/webappsec-csp/issues/383 [3] https://vaz.ac/dev/csp/sw/index.html
Attachments
Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2019-02-07 08:49:00 PST
Currently, ping loads (beacon API, CSP violation reports) are not going through service workers. We should indeed fix this.
Radar WebKit Bug Importer
Comment 2 2019-02-07 08:49:26 PST
<rdar://problem/47884547>
youenn fablet
Comment 3 2019-04-26 10:17:09 PDT
*** This bug has been marked as a duplicate of bug 196807 ***
Note You need to log in before you can comment on or make changes to this bug.