NEW 153162
CSP: Deduplicate violation reports before sending
https://bugs.webkit.org/show_bug.cgi?id=153162
Summary CSP: Deduplicate violation reports before sending
Daniel Bates
Reported 2016-01-15 15:18:06 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155708>. CSP: Deduplicate violation reports before sending. Violation reports should be sent once and only once per page load. If a single line of code generates the same report over and over again, we should attempt to avoid spamming the report server with not-particularly valuable duplicates. For example, if a report-only policy blocks 'eval()', then the following loop would make a sysadmin somewhere quite unhappy: for (i=0;i<Number.MAX_VALUE;i++) eval(...); This patch adds a HashSet<unsigned> to ContentSecurityPolicy, and stores the hash of the stringified violation report. We check that set just before handing things off to PingLoader for delivery. If there's a match, we've already sent the report, and can safely discard it. If not we send the report, then add it to the list. Discussed on public-webappsec@w3.org: http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0000.html
Attachments
Radar WebKit Bug Importer
Comment 1 2016-01-27 20:53:32 PST
Note You need to log in before you can comment on or make changes to this bug.