Summary: | Content Security Policy reports should be reported with content-type application/json | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Jeff Stewart <jeffstewart> | ||||
Component: | WebCore Misc. | Assignee: | Adam Barth <abarth> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | abarth, bmt, eric, jeffstewart, mkwst, ossy, sam, webkit.review.bot | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Bug Depends on: | |||||||
Bug Blocks: | 53572 | ||||||
Attachments: |
|
Description
Jeff Stewart
2011-05-24 06:17:23 PDT
Thanks for the report. > Using MacOS nightly webkit build 87124, Content-Security-Policy violations are being reported with content-type application/x-www-form-urlencoded (and the payload is indeed form encoded). The spec (http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri) says: This is intentional (at least for the moment). We've recommended to the working group that the report should be sent form-urlencoded. > On a related note, the report does not contain the blocked-uri field: This is also intentional. There are some subtle security issues with sending the blocked-uri, especially if cross-origin redirects are involved. There's a spec change in the works to address this issue, which we'll implement once all the details are in the spec. Thanks! Sam said he might be interested in tackling this issue. Created attachment 140347 [details]
Patch
Comment on attachment 140347 [details]
Patch
LGTM.
Comment on attachment 140347 [details] Patch Rejecting attachment 140347 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: y/report-only-from-header-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Eric Seidel']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/ Full output: http://queues.webkit.org/results/12630290 Committed r116268: <http://trac.webkit.org/changeset/116268> Reopen, because it broke the !INSPECTOR builds: ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp: In member function 'void WebCore::CSPDirectiveList::reportViolation(const WTF::String&, const WTF::String&) const': ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:605: error: incomplete type 'WebCore::InspectorObject' used in nested name specifier ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:606: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:608: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:610: error: incomplete type 'WebCore::InspectorObject' used in nested name specifier ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:611: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:613: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' In file included from ../../../../Source/WTF/wtf/RefPtr.h:29, from ../../../../Source/WTF/wtf/VectorTraits.h:26, from ../../../../Source/WTF/wtf/Vector.h:31, from ../../../../Source/WebCore/page/ContentSecurityPolicy.h:32, from ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:28: ../../../../Source/WTF/wtf/PassRefPtr.h: In function 'void WTF::derefIfNotNull(T*) [with T = WebCore::InspectorObject]': ../../../../Source/WTF/wtf/RefPtr.h:56: instantiated from 'WTF::RefPtr<T>::~RefPtr() [with T = WebCore::InspectorObject]' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:605: instantiated from here ../../../../Source/WTF/wtf/PassRefPtr.h:52: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' Hum... Maybe InspectorValues need to be defined even without the inspector. Attempted fix in http://trac.webkit.org/changeset/116275 That seems to have worked. |