Bug 154288 - CSP: Violation report should include HTTP status code and effective-directive of protected resource
Summary: CSP: Violation report should include HTTP status code and effective-directive...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar, WebExposed
: 115707 (view as bug list)
Depends on: 154307
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-16 06:42 PST by Daniel Bates
Modified: 2016-02-21 11:45 PST (History)
5 users (show)

See Also:


Attachments
Patch and Layout Tests (42.11 KB, patch)
2016-02-18 12:01 PST, Daniel Bates
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-02-16 06:42:37 PST
The Content Security Policy violation report should include the HTTP status code of the protected resource as per <https://w3c.github.io/webappsec-csp/2/#violation-reports> (29 August 2015):

[[
4.4. Reporting

...

To generate a violation report object, the user agent MUST use an algorithm equivalent to the following:

Prepare a JSON object violation with the following keys and values:

    blocked-uri
        The originally requested URL of the resource that was prevented from loading, stripped for reporting, or 
        the empty string if the resource has no URL (inline script and inline style, for example).
...
    status-code
        The status-code of the HTTP response that contained the protected resource, if the protected resource was
        obtained over HTTP. Otherwise, the number 0.
...
]]
Comment 1 Radar WebKit Bug Importer 2016-02-16 06:42:55 PST
<rdar://problem/24674982>
Comment 2 Daniel Bates 2016-02-18 10:53:28 PST
We should also include the effective-directive key in the violation report.
Comment 3 Daniel Bates 2016-02-18 12:01:45 PST
Created attachment 271679 [details]
Patch and Layout Tests

This patch will fail to apply because it depends on changes to file LayoutTests/TestExpectations made in the patch for bug #154307.
Comment 4 Brent Fulgham 2016-02-18 17:46:11 PST
Comment on attachment 271679 [details]
Patch and Layout Tests

r=me.
Comment 5 Brent Fulgham 2016-02-18 17:47:42 PST
*** Bug 115707 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Bates 2016-02-21 11:45:46 PST
Committed r196876: <http://trac.webkit.org/changeset/196876>