159830 – CSP: Report nonce violations in report-only polices

NEW 159830

CSP: Report nonce violations in report-only polices

https://bugs.webkit.org/show_bug.cgi?id=159830

Summary CSP: Report nonce violations in report-only polices

Daniel Bates

Reported 2016-07-15 13:54:34 PDT

We should send a CSP violation report and log a console message when there is a nonce violation in a report-only policy.

Attachments
Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2016-07-15 15:03:21 PDT

(In reply to comment #0) > We should send a CSP violation report and log a console message when there > is a nonce violation in a report-only policy. Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example: ... Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce' Content-Security-Policy: script-src 'nonce-A' ... <html> <body> <script nonce="A">...</script> </body> </html> This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2016-07-15 13:54 PDT

Modified

2016-07-15 15:37 PDT History

CC List

2 users Show

URL

Keywords

Depends on

159841

Blocks

Dependencies

tree graph