162079 – [CSP] Violation report may be sent to wrong domain on frame-ancestors violation

Bug 162079 - [CSP] Violation report may be sent to wrong domain on frame-ancestors violation

Summary: [CSP] Violation report may be sent to wrong domain on frame-ancestors violation

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-09-16 11:40 PDT by Daniel Bates
Modified:	2016-09-22 14:41 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (56.02 KB, patch) 2016-09-16 12:13 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-yosemite (1.27 MB, application/zip) 2016-09-16 12:58 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews114 for mac-yosemite (1.64 MB, application/zip) 2016-09-16 13:07 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews106 for mac-yosemite-wk2 (969.75 KB, application/zip) 2016-09-16 13:14 PDT, Build Bot	no flags	Details
Patch (63.88 KB, patch) 2016-09-16 13:17 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-09-16 11:40:48 PDT

On a frame-ancestors violation the violation report may be sent to the wrong domain.

Comment 1 Daniel Bates 2016-09-16 11:41:17 PDT

<rdar://problem/28321575>

Comment 2 Daniel Bates 2016-09-16 12:06:05 PDT

Note that reporting of a frame-ancestors violation for a document occurs before the URL of that document is known; => we do not have a script execution context. So we make use of the parent frame's document as part of the reporting machinery. Among other things we use the parent frame's document to compute the absolute URL for a CSP report URI that is a relative URL. But we should use the blocked URL as base of this computed absolute URL.

Comment 3 Daniel Bates 2016-09-16 12:13:34 PDT

Created attachment 289093 [details]
Patch

Comment 4 Build Bot 2016-09-16 12:58:24 PDT

Comment on attachment 289093 [details]
Patch

Attachment 289093 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2089679

New failing tests:
http/tests/security/xssAuditor/report-script-tag-replace-state.html
http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
http/tests/security/xssAuditor/report-script-tag.html
http/tests/security/xssAuditor/report-script-tag-full-block.html
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php

Comment 5 Build Bot 2016-09-16 12:58:27 PDT

Created attachment 289098 [details]
Archive of layout-test-results from ews103 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-yosemite  Platform: Mac OS X 10.10.5

Comment 6 Build Bot 2016-09-16 13:07:32 PDT

Comment on attachment 289093 [details]
Patch

Attachment 289093 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2089692

New failing tests:
http/tests/security/xssAuditor/report-script-tag-replace-state.html
http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
http/tests/security/xssAuditor/report-script-tag.html
http/tests/security/xssAuditor/report-script-tag-full-block.html
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php

Comment 7 Build Bot 2016-09-16 13:07:35 PDT

Created attachment 289099 [details]
Archive of layout-test-results from ews114 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-yosemite  Platform: Mac OS X 10.10.5

Comment 8 Build Bot 2016-09-16 13:14:46 PDT

Comment on attachment 289093 [details]
Patch

Attachment 289093 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/2089779

New failing tests:
http/tests/security/xssAuditor/report-script-tag.html
http/tests/security/xssAuditor/report-script-tag-full-block.html
http/tests/security/xssAuditor/report-script-tag-replace-state.html

Comment 9 Build Bot 2016-09-16 13:14:49 PDT

Created attachment 289100 [details]
Archive of layout-test-results from ews106 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5

Comment 10 Daniel Bates 2016-09-16 13:17:46 PDT

Created attachment 289101 [details]
Patch

Rebase more expected test results.

Comment 11 Daniel Bates 2016-09-22 14:41:46 PDT

Comment on attachment 289101 [details]
Patch

Clearing flags on attachment: 289101

Committed r206278: <http://trac.webkit.org/changeset/206278>

Comment 12 Daniel Bates 2016-09-22 14:41:50 PDT

All reviewed patches have been landed.  Closing bug.