Bug 153162 - CSP: Deduplicate violation reports before sending
Summary: CSP: Deduplicate violation reports before sending
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Blocks:
 
Reported: 2016-01-15 15:18 PST by Daniel Bates
Modified: 2016-03-16 09:56 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-01-15 15:18:06 PST 
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155708>.

CSP: Deduplicate violation reports before sending.

Violation reports should be sent once and only once per page load. If a
single line of code generates the same report over and over again, we
should attempt to avoid spamming the report server with not-particularly
valuable duplicates.

For example, if a report-only policy blocks 'eval()', then the following
loop would make a sysadmin somewhere quite unhappy:

    for (i=0;i<Number.MAX_VALUE;i++)
      eval(...);

This patch adds a HashSet<unsigned> to ContentSecurityPolicy, and stores
the hash of the stringified violation report. We check that set just
before handing things off to PingLoader for delivery. If there's a
match, we've already sent the report, and can safely discard it. If not
we send the report, then add it to the list.

Discussed on public-webappsec@w3.org: http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0000.html
Comment 1 Radar WebKit Bug Importer 2016-01-27 20:53:32 PST 
<rdar://problem/24383316>