The Content Security Policy report-uri directive should only be honored when defined in a policy via a HTTP header as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/#directive-report-uri>: [[ Note: The report-uri directive will be ignored if contained within a meta element. ]] Currently we honor the report-uri directive when defined in a policy delivered via the HTML meta element or HTTP header.
<rdar://problem/24684817>
Created attachment 271618 [details] Patch
Created attachment 271681 [details] Patch and Layout Test Updated patch to fix syntax error in file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php and to remove file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (not used since <http://trac.webkit.org/changeset/176413>). This patch will fail to apply because it depends on changes to file LayoutTests/TestExpectations made in the patch for bug #154299.
Comment on attachment 271681 [details] Patch and Layout Test View in context: https://bugs.webkit.org/attachment.cgi?id=271681&action=review r=me. > Source/WebCore/ChangeLog:14 > + via a HTTP header and log a message to the Web Inspector console to explain that the directive I think this should all read "... an HTTP" or "... an HTML".
Committed r196875: <http://trac.webkit.org/changeset/196875>
Committed fixes for Content Extension test failures in <https://trac.webkit.org/changeset/196878> and <https://trac.webkit.org/changeset/196879>.
*** Bug 158263 has been marked as a duplicate of this bug. ***