Similar to bug #185366, the referrer field in the CSP report should be the referrer for the protected document regardless of whether that document was blocked because its frame-ancestors directive was violated.
Currently whenever we send a CSP report we ask the document's loader (Document::loader()) for the referrer for the last request. Document::loader() returns the loader for the last committed document in its frame. For a frame-ancestors violation, a CSP report is sent before the document that had the frame-ancestors directive has been committed and after it has been associate with a frame. As a result we are in a transient transition state for the frame and hence the last request for the new document's loader (Document::loader()) is actually the last request of the previously loaded document in the frame. Instead we need to take care to tell CSP about the referrer for the request associated with the document the CSP came from.
Created attachment 339728 [details] Patch This patch depends on the refactoring done in bug #185367.
Comment on attachment 339728 [details] Patch Attachment 339728 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/7597100 New failing tests: http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
Created attachment 339740 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
(In reply to Build Bot from comment #3) > Comment on attachment 339728 [details] > Patch > > Attachment 339728 [details] did not pass win-ews (win): > Output: http://webkit-queues.webkit.org/results/7597100 > > New failing tests: > http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html Similar to my remark in bug 185366, comment 6, I am unclear how this change could cause this failure and the results.html page in the attached archive categorizes this failure as a crash, but no crash log is in the archive.
Comment on attachment 339728 [details] Patch r=me.
Comment on attachment 339728 [details] Patch Clearing flags on attachment: 339728 Committed r231461: <https://trac.webkit.org/changeset/231461>
All reviewed patches have been landed. Closing bug.
<rdar://problem/40041421>