113039 – CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.

Bug 113039 - CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.

Summary: CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTe...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mike West

URL:
Keywords:

Depends on:
Blocks:	85558 113033
	Show dependency tree / graph

Reported:	2013-03-22 03:40 PDT by Mike West
Modified:	2013-03-25 05:22 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (21.42 KB, patch) 2013-03-22 03:47 PDT, Mike West	no flags	Details \| Formatted Diff \| Diff
Patch (21.49 KB, patch) 2013-03-25 02:43 PDT, Mike West	no flags	Details \| Formatted Diff \| Diff
Patch (24.34 KB, patch) 2013-03-25 03:27 PDT, Mike West	no flags	Details \| Formatted Diff \| Diff
Patch (27.11 KB, patch) 2013-03-25 05:00 PDT, Mike West	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike West 2013-03-22 03:40:15 PDT

CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.

Comment 1 Mike West 2013-03-22 03:47:19 PDT

Created attachment 194500 [details]
Patch

Comment 2 Mike West 2013-03-24 12:59:40 PDT

Hey Adam! I obviously need to rebase this patch to fix whatever didn't apply correctly, but perhaps you can take a look in the meantime? It's a fairly large oversight on my part in the initial implementation. :/

Thanks!

Comment 3 Mike West 2013-03-25 02:43:48 PDT

Created attachment 194810 [details]
Patch

Comment 4 Mike West 2013-03-25 02:50:03 PDT

Hey Jochen! Since Adam is out, would you mind taking a look at this patch?

Comment 5 Mike West 2013-03-25 03:27:38 PDT

Created attachment 194818 [details]
Patch

Comment 6 Mike West 2013-03-25 03:29:48 PDT

(In reply to comment #5)
> Created an attachment (id=194818) [details]
> Patch

Jochen noted that we're doing the wrong thing with 'file:' URIs. Normally, I'd break that out into a separate patch, but I'm not sure it's worth it in this case. The current patch fixes both issues by changing the 'if' to 'if (!url.isHierarchical() || url.protocolIs("file"))'.

I'm also happy to break that (and the new test it brings with it) out to a separate patch if you think that'd be clearer.

Comment 7 jochen 2013-03-25 03:57:06 PDT

Comment on attachment 194818 [details]
Patch

ok

Comment 8 Mike West 2013-03-25 03:58:24 PDT

(In reply to comment #7)
> (From update of attachment 194818 [details])
> ok

Cool. I'll CQ it once the mac bots join the happy crowd. Thanks!

Comment 9 Mike West 2013-03-25 05:00:44 PDT

Created attachment 194830 [details]
Patch

Comment 10 Mike West 2013-03-25 05:03:15 PDT

Comment on attachment 194830 [details]
Patch

Carrying over the r+, CQing after fixing the platform-specific results for the new test.

Comment 11 WebKit Review Bot 2013-03-25 05:22:53 PDT

Comment on attachment 194830 [details]
Patch

Clearing flags on attachment: 194830

Committed r146758: <http://trac.webkit.org/changeset/146758>

Comment 12 WebKit Review Bot 2013-03-25 05:22:57 PDT

All reviewed patches have been landed.  Closing bug.