Bug 154307 - CSP: report-url directive should be ignored when contained in a policy defined via a meta element
Summary: CSP: report-url directive should be ignored when contained in a policy define...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
Keywords: InRadar, WebExposed
: 158263 (view as bug list)
Depends on: 154299
Blocks: 154288
  Show dependency treegraph
Reported: 2016-02-16 14:21 PST by Daniel Bates
Modified: 2016-06-01 20:18 PDT (History)
5 users (show)

See Also:

Patch (74.55 KB, patch)
2016-02-17 19:46 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Test (75.78 KB, patch)
2016-02-18 12:22 PST, Daniel Bates
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-02-16 14:21:17 PST
The Content Security Policy report-uri directive should only be honored when defined in a policy via a HTTP header as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/#directive-report-uri>:

Note: The report-uri directive will be ignored if contained within a meta element.

Currently we honor the report-uri directive when defined in a policy delivered via the HTML meta element or HTTP header.
Comment 1 Radar WebKit Bug Importer 2016-02-16 14:22:30 PST
Comment 2 Daniel Bates 2016-02-17 19:46:18 PST
Created attachment 271618 [details]
Comment 3 Daniel Bates 2016-02-18 12:22:38 PST
Created attachment 271681 [details]
Patch and Layout Test

Updated patch to fix syntax error in file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php and to remove file LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (not used since <http://trac.webkit.org/changeset/176413>). This patch will fail to apply because it depends on changes to file LayoutTests/TestExpectations made in the patch for bug #154299.
Comment 4 Brent Fulgham 2016-02-18 17:41:38 PST
Comment on attachment 271681 [details]
Patch and Layout Test

View in context: https://bugs.webkit.org/attachment.cgi?id=271681&action=review


> Source/WebCore/ChangeLog:14
> +        via a HTTP header and log a message to the Web Inspector console to explain that the directive

I think this should all read "... an HTTP" or "... an HTML".
Comment 5 Daniel Bates 2016-02-21 11:04:15 PST
Committed r196875: <http://trac.webkit.org/changeset/196875>
Comment 6 Daniel Bates 2016-02-21 17:33:44 PST
Committed fixes for Content Extension test failures in <https://trac.webkit.org/changeset/196878> and <https://trac.webkit.org/changeset/196879>.
Comment 7 Daniel Bates 2016-06-01 20:18:44 PDT
*** Bug 158263 has been marked as a duplicate of this bug. ***