Bug 97241
| Summary: | csp-report wrapper missing | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Baldwin <baldwin> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | ap, mkwst, sam |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac (Intel) | ||
| OS: | OS X 10.8 | ||
Adam Baldwin
On Safari Version 6.0.1 (8536.26.14) the outer 'csp-report' wrapper does not exist when csp violation report is sent.
Example:
{ 'document-url': 'http://localhost:3000/violation',
'violated-directive': 'default-src \'self\'' }
Should be like the following to match the spec
{ 'csp-report': { 'document-url': 'http://localhost:3000/violation',
'violated-directive': 'default-src \'self\'' } }
The policy header that was set was
X-WebKit-CSP: default-src 'self';report-uri http://localhost:3000/csp;
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mike West
It looks like this was added in http://wkrev.com/116268, which I think is just after the revision of WebCore that Safari is using. ToT has the wrapper object, as evidenced by the current set of test expectations. http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt for example.
Alexey Proskuryakov
Thanks Mike - since this is fixed in WebKit, marking WORKSFORME. We do not track integration of WebKit into vendor releases.
Adam, please feel free to verify the fix with a nightly build: <http://nightly.webkit.org>.
Mike West
(In reply to comment #2)
> Thanks Mike - since this is fixed in WebKit, marking WORKSFORME. We do not track integration of WebKit into vendor releases.
>
> Adam, please feel free to verify the fix with a nightly build: <http://nightly.webkit.org>.
What's the proper channel for a Safari-specific report? Radar?
Alexey Proskuryakov
> What's the proper channel for a Safari-specific report? Radar?
Yes, that's correct - <http://bugreport.apple.com>.
Generally, one may want to file a bug with Apple about something that's already fixed in WebKit if that issue needs to be addressed sooner that it would happen "naturally" when shipping a release that includes newer WebKit. It's important to explain the urgency then.
Mike West
(In reply to comment #4)
> > What's the proper channel for a Safari-specific report? Radar?
>
> Yes, that's correct - <http://bugreport.apple.com>.
>
> Generally, one may want to file a bug with Apple about something that's already fixed in WebKit if that issue needs to be addressed sooner that it would happen "naturally" when shipping a release that includes newer WebKit. It's important to explain the urgency then.
Fair enough. Thanks Alexey.