RESOLVED FIXED185367
CSP should be passed the referrer 
https://bugs.webkit.org/show_bug.cgi?id=185367
Summary CSP should be passed the referrer
Daniel Bates
Reported 2018-05-06 16:20:04 PDT
A ContentSecurityPolicy object currently depends on either a ScriptExecutionContext or a Frame in order to perform logging, dispatch DOM events, and send CSP reports. Ideally, we want it be dependent on a delegate to perform these operations so that we can implement them appropriate for workers and with respect to the NetworkProcess. Notice that class Document extends ScriptExecutionContext. For documents, one of the reasons the class ContentSecurityPolicy has a dependency on ScriptExecutionContext is because it needs to know the document's referrer when dispatching DOM events and sending CSP reports for violations. It is sufficient to pass the referrer information to a ContentSecurityPolicy directly instead of having ContentSecurityPolicy indirectly query this information from the specified ScriptExecutionContext or Frame. This will also make it straightforward to correctly compute the referrer for a worker in a subsequent bug.
Attachments
Patch (20.62 KB, patch)
2018-05-06 16:35 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2018-05-06 16:35:40 PDT
Created attachment 339695 [details] Patch
Daniel Bates
Comment 2 2018-05-06 17:26:55 PDT
(In reply to Daniel Bates from comment #0) > Ideally, we want it be dependent on a delegate > to perform these operations so that we can implement them appropriate for > workers and with respect to the NetworkProcess. Notice that class Document > extends ScriptExecutionContext. This should read: Ideally, we want it to be dependent only on a delegate to perform these operations so that we can implement them appropriately for workers and with respect to the NetworkProcess. > This will also make it straightforward to correctly compute the referrer for a worker in a subsequent bug. Disregard this remark. Only documents have a referrer. That is, workers do not have a referrer.
Per Arne Vollan
Comment 3 2018-05-07 10:48:17 PDT
Comment on attachment 339695 [details] Patch R=me. Do we already have test coverage for this?
Daniel Bates
Comment 4 2018-05-07 10:50:58 PDT
(In reply to Per Arne Vollan from comment #3) > Do we already have test coverage for this? Yes, we do.
Daniel Bates
Comment 5 2018-05-07 10:52:40 PDT
Comment on attachment 339695 [details] Patch Clearing flags on attachment: 339695 Committed r231445: <https://trac.webkit.org/changeset/231445>
Daniel Bates
Comment 6 2018-05-07 10:52:42 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 7 2018-05-07 10:53:26 PDT
<rdar://problem/40028310>
Note You need to log in before you can comment on or make changes to this bug.