RESOLVED FIXED 162079
[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
https://bugs.webkit.org/show_bug.cgi?id=162079
Summary [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
Daniel Bates
Reported 2016-09-16 11:40:48 PDT
On a frame-ancestors violation the violation report may be sent to the wrong domain.
Attachments
Patch (56.02 KB, patch)
2016-09-16 12:13 PDT, Daniel Bates
no flags
Archive of layout-test-results from ews103 for mac-yosemite (1.27 MB, application/zip)
2016-09-16 12:58 PDT, Build Bot
no flags
Archive of layout-test-results from ews114 for mac-yosemite (1.64 MB, application/zip)
2016-09-16 13:07 PDT, Build Bot
no flags
Archive of layout-test-results from ews106 for mac-yosemite-wk2 (969.75 KB, application/zip)
2016-09-16 13:14 PDT, Build Bot
no flags
Patch (63.88 KB, patch)
2016-09-16 13:17 PDT, Daniel Bates
no flags
Daniel Bates
Comment 1 2016-09-16 11:41:17 PDT
Daniel Bates
Comment 2 2016-09-16 12:06:05 PDT
Note that reporting of a frame-ancestors violation for a document occurs before the URL of that document is known; => we do not have a script execution context. So we make use of the parent frame's document as part of the reporting machinery. Among other things we use the parent frame's document to compute the absolute URL for a CSP report URI that is a relative URL. But we should use the blocked URL as base of this computed absolute URL.
Daniel Bates
Comment 3 2016-09-16 12:13:34 PDT
Build Bot
Comment 4 2016-09-16 12:58:24 PDT
Comment on attachment 289093 [details] Patch Attachment 289093 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2089679 New failing tests: http/tests/security/xssAuditor/report-script-tag-replace-state.html http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
Build Bot
Comment 5 2016-09-16 12:58:27 PDT
Created attachment 289098 [details] Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 6 2016-09-16 13:07:32 PDT
Comment on attachment 289093 [details] Patch Attachment 289093 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2089692 New failing tests: http/tests/security/xssAuditor/report-script-tag-replace-state.html http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
Build Bot
Comment 7 2016-09-16 13:07:35 PDT
Created attachment 289099 [details] Archive of layout-test-results from ews114 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 8 2016-09-16 13:14:46 PDT
Comment on attachment 289093 [details] Patch Attachment 289093 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2089779 New failing tests: http/tests/security/xssAuditor/report-script-tag.html http/tests/security/xssAuditor/report-script-tag-full-block.html http/tests/security/xssAuditor/report-script-tag-replace-state.html
Build Bot
Comment 9 2016-09-16 13:14:49 PDT
Created attachment 289100 [details] Archive of layout-test-results from ews106 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Daniel Bates
Comment 10 2016-09-16 13:17:46 PDT
Created attachment 289101 [details] Patch Rebase more expected test results.
Daniel Bates
Comment 11 2016-09-22 14:41:46 PDT
Comment on attachment 289101 [details] Patch Clearing flags on attachment: 289101 Committed r206278: <http://trac.webkit.org/changeset/206278>
Daniel Bates
Comment 12 2016-09-22 14:41:50 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.