In Safari and Safari Technology Preview up to and including Release 71 (Safari 12.1, WebKit 14607.1.15), it is necessary to whitelist a CSP Reporting Endpoint for the reports to be sent, when “default-src” is set to “none”. The console states "Failed to load resource: Blocked by Content Security Policy.” and the Network Tab shows that ping requests to the CSP Reporting Endpoint have been blocked. It should not be necessary to manually whitelist the CSP Reporting Endpoint. Furthermore, doing so using the "connect-src” directive whitelists a lot of undesirable connection types in addition to what is required to submit CSP violation reports — Fetch, XMLHttpRequest, WebSocket, and EventSource. No other major browser appears to behave in this way. This will fail: > default-src 'none'; report-uri https://example.com/endpoint; style-src 'self'; This will work: > connect-src https://example.com/endpoint:443; default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';
Just for reference, this bug also exists in Safari Technology Preview Release 72 (Safari 12.1, WebKit 14607.1.17.1), which was released half an hour after it was filed.
Created attachment 357693 [details] Screenshot of issue in Safari
Hey everyone, Just dropping by to say I can repro this in latest Safari, screenshot attached. This behaviour is not present in latest Edge, Chrome or Firefox. If you want a test page for this issue you can try: https://scotthelme.co.uk/csp-demo/ I run Report URI (https://report-uri.com) and we process billions of reports per month for our customers. Advising them to open up a connect-src to us really isn't something we want to do. I feel it'd be a lot better if they didn't need to whitelist us at all and CSP reports were sent outside of the requirement to whitelisted in the CSP as they are in other browsers. This is also somewhat problematic because if the CSP endpoint is required to be whitelisted in the connect-src (or default-src) then violating it and blocking the request, which it does, should cause a CSP report to be sent, which it doesn't! Cheers, Scott.
<rdar://problem/46887236>
When adding better support for ping load checks in network process for fetch keep alive, we added these checks for all ping loads, probably including CSP reports.
Created attachment 358305 [details] Patch
Comment on attachment 358305 [details] Patch Attachment 358305 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/10624158 New failing tests: imported/w3c/web-platform-tests/webrtc/simplecall.https.html
Created attachment 358310 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6
Created attachment 358322 [details] Patch
Comment on attachment 358322 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358322&action=review > Source/WebCore/loader/PingLoader.h:50 > +enum class ContentSecurityPolicyImposition : uint8_t; Extra space. > LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt:3 > +PASS Untitled May be nicer with a title.
Comment on attachment 358322 [details] Patch Attachment 358322 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/10628875 New failing tests: http/wpt/css/css-animations/start-animation-001.html
Created attachment 358328 [details] Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6
Created attachment 358330 [details] Patch for landing
Comment on attachment 358330 [details] Patch for landing Rejecting attachment 358330 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 358330, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as commit-queue@webkit.org... Fetching: https://bugs.webkit.org/attachment.cgi?id=358330&action=edit Fetching: https://bugs.webkit.org/show_bug.cgi?id=192857&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 358330 from bug 192857. Fetching: https://bugs.webkit.org/attachment.cgi?id=358330 Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to http://svn.webkit.org/repository/webkit/trunk ... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource Current branch master is up to date. Full output: https://webkit-queues.webkit.org/results/10630810
Comment on attachment 358330 [details] Patch for landing Clearing flags on attachment: 358330 Committed r239634: <https://trac.webkit.org/changeset/239634>
All reviewed patches have been landed. Closing bug.
The test http/wpt/fetch/csp-reports-bypass-csp-checks.html added in https://trac.webkit.org/changeset/239634/webkit is flakey. History: https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Fwpt%2Ffetch%2Fcsp-reports-bypass-csp-checks.html