159830 – CSP: Report nonce violations in report-only polices

Bug 159830 - CSP: Report nonce violations in report-only polices

Summary: CSP: Report nonce violations in report-only polices

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:	159841
Blocks:
	Show dependency tree / graph

Reported:	2016-07-15 13:54 PDT by Daniel Bates
Modified:	2016-07-15 15:37 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-07-15 13:54:34 PDT

We should send a CSP violation report and log a console message when there is a nonce violation in a report-only policy.

Comment 1 Daniel Bates 2016-07-15 15:03:21 PDT

(In reply to comment #0)
> We should send a CSP violation report and log a console message when there
> is a nonce violation in a report-only policy.

Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example:

...
Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce'
Content-Security-Policy: script-src 'nonce-A'
...
<html>
<body>
<script nonce="A">...</script>
</body>
</html>

This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.