115702 – CSP: Suppress stored credentials when sending cross-origin violation reports.

RESOLVED FIXED 115702

CSP: Suppress stored credentials when sending cross-origin violation reports.

https://bugs.webkit.org/show_bug.cgi?id=115702

Summary CSP: Suppress stored credentials when sending cross-origin violation reports.

Ryosuke Niwa

Reported 2013-05-06 20:10:26 PDT

We should consider merging https://chromium.googlesource.com/chromium/blink/+/d2b1d6072cc7c5bf6de86cf3b834228e754b05b1 CSP: Suppress stored credentials when sending cross-origin violation reports. The spec recently changed to mandate that cross-origin violation reports be POSTed without cookies[1]. This patch changes PingLoader::PingLoader to accept a StoredCredentials argument, and ensures that PingLoader::sendViolationReport sets it correctly based on the origins of the protected resource and the reporting endpoint. Two tests are included, which required the addition of CORS headers to http/tests/cookies/resources/setCookies.cgi in order to synchronously set cookies cross-origin via XHR. Additionally, the reporting endpoint was updated to write the cookie header into the output, and then clear any set cookies so as not to leak into other tests. [1]: https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-01-27 20:25:04 PST

<rdar://problem/24383107>

Daniel Bates

Comment 2 2016-02-17 09:09:32 PST

This was fixed in the patch for bug #146754.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Daniel Bates

Reported

2013-05-06 20:10 PDT

Modified

2016-02-17 09:09 PST History

CC List

6 users Show

URL

Keywords BlinkMergeCandidate, InRadar

Depends on

Blocks