Bug 115702 - CSP: Suppress stored credentials when sending cross-origin violation reports.
Summary: CSP: Suppress stored credentials when sending cross-origin violation reports.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Blocks:
 
Reported: 2013-05-06 20:10 PDT by Ryosuke Niwa
Modified: 2016-02-17 09:09 PST (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-05-06 20:10:26 PDT
We should consider merging
https://chromium.googlesource.com/chromium/blink/+/d2b1d6072cc7c5bf6de86cf3b834228e754b05b1

CSP: Suppress stored credentials when sending cross-origin violation reports.

The spec recently changed to mandate that cross-origin violation reports be POSTed
without cookies[1]. This patch changes PingLoader::PingLoader to accept a
StoredCredentials argument, and ensures that PingLoader::sendViolationReport sets
it correctly based on the origins of the protected resource and the reporting endpoint.

Two tests are included, which required the addition of CORS headers to 
http/tests/cookies/resources/setCookies.cgi in order to synchronously set cookies
cross-origin via XHR. Additionally, the reporting endpoint was updated to write the
cookie header into the output, and then clear any set cookies so as not to leak into
other tests.

[1]: https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39
Comment 1 Radar WebKit Bug Importer 2016-01-27 20:25:04 PST
<rdar://problem/24383107>
Comment 2 Daniel Bates 2016-02-17 09:09:32 PST
This was fixed in the patch for bug #146754.