RESOLVED FIXED 109429
CSP reports for blocked 'data:' URLs should report the scheme only. 
https://bugs.webkit.org/show_bug.cgi?id=109429
Summary CSP reports for blocked 'data:' URLs should report the scheme only.
Mike West
Reported 2013-02-11 06:59:20 PST
https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed the CSP 1.1 spec to require that blocked URLs that don't map well to the web (e.g. 'data:', 'javascript:', etc.) be stripped down to their scheme in violation reports. I'm not sure what the best way to do that actually is... The question sorta maps to 'KURL::isHierarchical()', but not really. The current patch uses 'KURL::canSetHostOrPort()' (which maps to 'isHierarchical()'), but there's likely a better way. Adam, what do you think?
Attachments
Patch (4.95 KB, patch)
2013-02-11 07:13 PST, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (5.65 KB, patch)
2013-02-11 11:29 PST, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2013-02-11 07:13:03 PST
Created attachment 187566 [details] Patch
Adam Barth
Comment 2 2013-02-11 10:38:08 PST
Comment on attachment 187566 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=187566&action=review > Source/WebCore/page/ContentSecurityPolicy.cpp:1634 > + if (blockedURL.canSetHostOrPort()) I'd use isHierarchical rather than canSetHostOrPort, but I think they're the same.
Mike West
Comment 3 2013-02-11 11:18:07 PST
(In reply to comment #2) > (From update of attachment 187566 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=187566&action=review > > > Source/WebCore/page/ContentSecurityPolicy.cpp:1634 > > + if (blockedURL.canSetHostOrPort()) > > I'd use isHierarchical rather than canSetHostOrPort, but I think they're the same. KURL::isHierarchical is private, which is why I used this (which, as you say, is simply an alias). Should I move it out into the public API?
Adam Barth
Comment 4 2013-02-11 11:20:11 PST
SUre.
Mike West
Comment 5 2013-02-11 11:29:21 PST
Created attachment 187628 [details] Patch
Mike West
Comment 6 2013-02-11 11:30:25 PST
Comment on attachment 187628 [details] Patch Whoops. Carrying over Adam's r+. Meant to just throw this at the bots before CQing.
WebKit Review Bot
Comment 7 2013-02-11 13:31:24 PST
Comment on attachment 187628 [details] Patch Clearing flags on attachment: 187628 Committed r142506: <http://trac.webkit.org/changeset/142506>
WebKit Review Bot
Comment 8 2013-02-11 13:31:28 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.