154307 – CSP: report-url directive should be ignored when contained in a policy defined via a meta element

RESOLVED FIXED Bug 154307

CSP: report-url directive should be ignored when contained in a policy defined via a meta element

https://bugs.webkit.org/show_bug.cgi?id=154307

Summary CSP: report-url directive should be ignored when contained in a policy define...

Daniel Bates

Reported 2016-02-16 14:21:17 PST

The Content Security Policy report-uri directive should only be honored when defined in a policy via a HTTP header as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/#directive-report-uri>: [[ Note: The report-uri directive will be ignored if contained within a meta element. ]] Currently we honor the report-uri directive when defined in a policy delivered via the HTML meta element or HTTP header.

Attachments
Patch (74.55 KB, patch) 2016-02-17 19:46 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and Layout Test (75.78 KB, patch) 2016-02-18 12:22 PST, Daniel Bates	bfulgham: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-02-16 14:22:30 PST

<rdar://problem/24684817>

Daniel Bates

Comment 2 2016-02-17 19:46:18 PST

Created attachment 271618 [details] Patch

Daniel Bates

Comment 3 2016-02-18 12:22:38 PST

Created attachment 271681 [details] Patch and Layout Test Updated patch to fix syntax error in file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php and to remove file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (not used since <http://trac.webkit.org/changeset/176413>). This patch will fail to apply because it depends on changes to file LayoutTests/TestExpectations made in the patch for bug #154299.

Brent Fulgham

Comment 4 2016-02-18 17:41:38 PST

Comment on attachment 271681 [details] Patch and Layout Test View in context: https://bugs.webkit.org/attachment.cgi?id=271681&action=review r=me. > Source/WebCore/ChangeLog:14 > + via a HTTP header and log a message to the Web Inspector console to explain that the directive I think this should all read "... an HTTP" or "... an HTML".

Daniel Bates

Comment 5 2016-02-21 11:04:15 PST

Committed r196875: <http://trac.webkit.org/changeset/196875>

Daniel Bates

Comment 6 2016-02-21 17:33:44 PST

Committed fixes for Content Extension test failures in <https://trac.webkit.org/changeset/196878> and <https://trac.webkit.org/changeset/196879>.

Daniel Bates

Comment 7 2016-06-01 20:18:44 PDT

*** Bug 158263 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Daniel Bates

Reported

2016-02-16 14:21 PST

Modified

2016-06-01 20:18 PDT History

CC List

5 users Show

URL

Keywords InRadar, WebExposed

Duplicates (1)

158263 View as bug list

Depends on

154299

Blocks

154288

Dependancies

tree graph