WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
162079
[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
https://bugs.webkit.org/show_bug.cgi?id=162079
Summary
[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
Daniel Bates
Reported
2016-09-16 11:40:48 PDT
On a frame-ancestors violation the violation report may be sent to the wrong domain.
Attachments
Patch
(56.02 KB, patch)
2016-09-16 12:13 PDT
,
Daniel Bates
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews103 for mac-yosemite
(1.27 MB, application/zip)
2016-09-16 12:58 PDT
,
Build Bot
no flags
Details
Archive of layout-test-results from ews114 for mac-yosemite
(1.64 MB, application/zip)
2016-09-16 13:07 PDT
,
Build Bot
no flags
Details
Archive of layout-test-results from ews106 for mac-yosemite-wk2
(969.75 KB, application/zip)
2016-09-16 13:14 PDT
,
Build Bot
no flags
Details
Patch
(63.88 KB, patch)
2016-09-16 13:17 PDT
,
Daniel Bates
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Daniel Bates
Comment 1
2016-09-16 11:41:17 PDT
<
rdar://problem/28321575
>
Daniel Bates
Comment 2
2016-09-16 12:06:05 PDT
Note that reporting of a frame-ancestors violation for a document occurs before the URL of that document is known; => we do not have a script execution context. So we make use of the parent frame's document as part of the reporting machinery. Among other things we use the parent frame's document to compute the absolute URL for a CSP report URI that is a relative URL. But we should use the blocked URL as base of this computed absolute URL.
Daniel Bates
Comment 3
2016-09-16 12:13:34 PDT
Created
attachment 289093
[details]
Patch
Build Bot
Comment 4
2016-09-16 12:58:24 PDT
Comment on
attachment 289093
[details]
Patch
Attachment 289093
[details]
did not pass mac-ews (mac): Output:
http://webkit-queues.webkit.org/results/2089679
New failing tests: http/tests/security/xssAuditor/report-script-tag-replace-state.html http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
Build Bot
Comment 5
2016-09-16 12:58:27 PDT
Created
attachment 289098
[details]
Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 6
2016-09-16 13:07:32 PDT
Comment on
attachment 289093
[details]
Patch
Attachment 289093
[details]
did not pass mac-debug-ews (mac): Output:
http://webkit-queues.webkit.org/results/2089692
New failing tests: http/tests/security/xssAuditor/report-script-tag-replace-state.html http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
Build Bot
Comment 7
2016-09-16 13:07:35 PDT
Created
attachment 289099
[details]
Archive of layout-test-results from ews114 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 8
2016-09-16 13:14:46 PDT
Comment on
attachment 289093
[details]
Patch
Attachment 289093
[details]
did not pass mac-wk2-ews (mac-wk2): Output:
http://webkit-queues.webkit.org/results/2089779
New failing tests: http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/xssAuditor/report-script-tag-replace-state.html
Build Bot
Comment 9
2016-09-16 13:14:49 PDT
Created
attachment 289100
[details]
Archive of layout-test-results from ews106 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Daniel Bates
Comment 10
2016-09-16 13:17:46 PDT
Created
attachment 289101
[details]
Patch Rebase more expected test results.
Daniel Bates
Comment 11
2016-09-22 14:41:46 PDT
Comment on
attachment 289101
[details]
Patch Clearing flags on attachment: 289101 Committed
r206278
: <
http://trac.webkit.org/changeset/206278
>
Daniel Bates
Comment 12
2016-09-22 14:41:50 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug