156565 – CSP: Ignore report-only policy delivered via meta element

Bug 156565 - CSP: Ignore report-only policy delivered via meta element

Summary: CSP: Ignore report-only policy delivered via meta element

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar, WebExposed

Depends on:
Blocks:

Reported:	2016-04-13 18:46 PDT by Daniel Bates
Modified:	2016-04-14 09:47 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch and Layout Tests (22.15 KB, patch) 2016-04-13 18:50 PDT, Daniel Bates	bfulgham: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-04-13 18:46:07 PDT

As per section Content-Security-Policy-Report-Only Header Field of the Content Security Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015), "The Content-Security-Policy-Report-Only header is not supported inside a meta element."

Currently we support a report-only policy delivered via a meta element.

Comment 1 Radar WebKit Bug Importer 2016-04-13 18:46:45 PDT

<rdar://problem/25718167>

Comment 2 Daniel Bates 2016-04-13 18:50:22 PDT

Created attachment 276369 [details]
Patch and Layout Tests

Comment 3 Brent Fulgham 2016-04-13 22:07:13 PDT

Comment on attachment 276369 [details]
Patch and Layout Tests

Looks great! r=me.

Comment 4 Daniel Bates 2016-04-14 09:47:58 PDT

Committed r199538: <http://trac.webkit.org/changeset/199538>