WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
192857
CSP violation reports should bypass CSP checks
https://bugs.webkit.org/show_bug.cgi?id=192857
Summary
CSP violation reports should bypass CSP checks
1625258476
Reported
2018-12-19 09:26:03 PST
In Safari and Safari Technology Preview up to and including Release 71 (Safari 12.1, WebKit 14607.1.15), it is necessary to whitelist a CSP Reporting Endpoint for the reports to be sent, when “default-src” is set to “none”. The console states "Failed to load resource: Blocked by Content Security Policy.” and the Network Tab shows that ping requests to the CSP Reporting Endpoint have been blocked. It should not be necessary to manually whitelist the CSP Reporting Endpoint. Furthermore, doing so using the "connect-src” directive whitelists a lot of undesirable connection types in addition to what is required to submit CSP violation reports — Fetch, XMLHttpRequest, WebSocket, and EventSource. No other major browser appears to behave in this way. This will fail:
> default-src 'none'; report-uri
https://example.com/endpoint
; style-src 'self';
This will work:
> connect-src
https://example.com/endpoint:443
; default-src 'none'; report-uri
https://example.com/endpoint
; style-src 'self';
Attachments
Screenshot of issue in Safari
(169.12 KB, image/png)
2018-12-19 10:40 PST
,
Scott Helme
no flags
Details
Patch
(19.18 KB, patch)
2019-01-03 20:44 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews122 for ios-simulator-wk2
(2.46 MB, application/zip)
2019-01-03 22:40 PST
,
EWS Watchlist
no flags
Details
Patch
(19.41 KB, patch)
2019-01-04 09:00 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews100 for mac-sierra
(2.68 MB, application/zip)
2019-01-04 10:04 PST
,
EWS Watchlist
no flags
Details
Patch for landing
(19.49 KB, patch)
2019-01-04 10:17 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
1625258476
Comment 1
2018-12-19 09:53:02 PST
Just for reference, this bug also exists in Safari Technology Preview Release 72 (Safari 12.1, WebKit 14607.1.17.1), which was released half an hour after it was filed.
Scott Helme
Comment 2
2018-12-19 10:40:28 PST
Created
attachment 357693
[details]
Screenshot of issue in Safari
Scott Helme
Comment 3
2018-12-19 10:44:26 PST
Hey everyone, Just dropping by to say I can repro this in latest Safari, screenshot attached. This behaviour is not present in latest Edge, Chrome or Firefox. If you want a test page for this issue you can try:
https://scotthelme.co.uk/csp-demo/
I run Report URI (
https://report-uri.com
) and we process billions of reports per month for our customers. Advising them to open up a connect-src to us really isn't something we want to do. I feel it'd be a lot better if they didn't need to whitelist us at all and CSP reports were sent outside of the requirement to whitelisted in the CSP as they are in other browsers. This is also somewhat problematic because if the CSP endpoint is required to be whitelisted in the connect-src (or default-src) then violating it and blocking the request, which it does, should cause a CSP report to be sent, which it doesn't! Cheers, Scott.
Radar WebKit Bug Importer
Comment 4
2018-12-20 16:25:22 PST
<
rdar://problem/46887236
>
youenn fablet
Comment 5
2019-01-03 17:40:22 PST
When adding better support for ping load checks in network process for fetch keep alive, we added these checks for all ping loads, probably including CSP reports.
youenn fablet
Comment 6
2019-01-03 20:44:37 PST
Created
attachment 358305
[details]
Patch
EWS Watchlist
Comment 7
2019-01-03 22:40:48 PST
Comment on
attachment 358305
[details]
Patch
Attachment 358305
[details]
did not pass ios-sim-ews (ios-simulator-wk2): Output:
https://webkit-queues.webkit.org/results/10624158
New failing tests: imported/w3c/web-platform-tests/webrtc/simplecall.https.html
EWS Watchlist
Comment 8
2019-01-03 22:40:50 PST
Created
attachment 358310
[details]
Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6
youenn fablet
Comment 9
2019-01-04 09:00:10 PST
Created
attachment 358322
[details]
Patch
Chris Dumez
Comment 10
2019-01-04 09:51:21 PST
Comment on
attachment 358322
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=358322&action=review
> Source/WebCore/loader/PingLoader.h:50 > +enum class ContentSecurityPolicyImposition : uint8_t;
Extra space.
> LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt:3 > +PASS Untitled
May be nicer with a title.
EWS Watchlist
Comment 11
2019-01-04 10:04:04 PST
Comment on
attachment 358322
[details]
Patch
Attachment 358322
[details]
did not pass mac-ews (mac): Output:
https://webkit-queues.webkit.org/results/10628875
New failing tests: http/wpt/css/css-animations/start-animation-001.html
EWS Watchlist
Comment 12
2019-01-04 10:04:06 PST
Created
attachment 358328
[details]
Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6
youenn fablet
Comment 13
2019-01-04 10:17:16 PST
Created
attachment 358330
[details]
Patch for landing
WebKit Commit Bot
Comment 14
2019-01-04 11:45:33 PST
Comment on
attachment 358330
[details]
Patch for landing Rejecting
attachment 358330
[details]
from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 358330, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Logging in as
commit-queue@webkit.org
... Fetching:
https://bugs.webkit.org/attachment.cgi?id=358330&action=edit
Fetching:
https://bugs.webkit.org/show_bug.cgi?id=192857
&ctype=xml&excludefield=attachmentdata Processing 1 patch from 1 bug. Updating working directory Processing patch 358330 from
bug 192857
. Fetching:
https://bugs.webkit.org/attachment.cgi?id=358330
Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to
http://svn.webkit.org/repository/webkit/trunk
... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Committing to
http://svn.webkit.org/repository/webkit/trunk
... A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks-expected.txt A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html A LayoutTests/http/wpt/fetch/csp-reports-bypass-csp-checks.html.headers A LayoutTests/http/wpt/fetch/resources/store-csp-report.py M LayoutTests/ChangeLog M Source/WebCore/ChangeLog ERROR from SVN: Item is out of date: File '/trunk/Source/WebCore/ChangeLog' is out of date W: c7f8d5bea7af7b91c514ca7c6feb24b946306ff0 and refs/remotes/origin/master differ, using rebase: :040000 040000 5e31ad75b87be9e9c27e19478c71011dfb22c1c2 ad35e3f6fcd4e0199358caa564c681e6c8f9e614 M LayoutTests :040000 040000 54ac0bb4f63c2820cb00ddfaa04c46506da8bf0a ec67e86ad84fc3e6e0cd0c4b7774119a6c8a44d9 M Source Current branch master is up to date. ERROR: Not all changes have been committed into SVN, however the committed ones (if any) seem to be successfully integrated into the working tree. Please see the above messages for details. Failed to run "['git', 'svn', 'dcommit', '--rmdir']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Updating OpenSource Current branch master is up to date. Full output:
https://webkit-queues.webkit.org/results/10630810
WebKit Commit Bot
Comment 15
2019-01-04 13:22:40 PST
Comment on
attachment 358330
[details]
Patch for landing Clearing flags on attachment: 358330 Committed
r239634
: <
https://trac.webkit.org/changeset/239634
>
WebKit Commit Bot
Comment 16
2019-01-04 13:22:42 PST
All reviewed patches have been landed. Closing bug.
Truitt Savell
Comment 17
2019-01-04 16:43:26 PST
The test http/wpt/fetch/csp-reports-bypass-csp-checks.html added in
https://trac.webkit.org/changeset/239634/webkit
is flakey. History:
https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Fwpt%2Ffetch%2Fcsp-reports-bypass-csp-checks.html
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug