RESOLVED WORKSFORME Bug 97241
csp-report wrapper missing 
https://bugs.webkit.org/show_bug.cgi?id=97241
Summary csp-report wrapper missing
Adam Baldwin
Reported 2012-09-20 11:34:02 PDT
On Safari Version 6.0.1 (8536.26.14) the outer 'csp-report' wrapper does not exist when csp violation report is sent. Example: { 'document-url': 'http://localhost:3000/violation', 'violated-directive': 'default-src \'self\'' } Should be like the following to match the spec { 'csp-report': { 'document-url': 'http://localhost:3000/violation', 'violated-directive': 'default-src \'self\'' } } The policy header that was set was X-WebKit-CSP: default-src 'self';report-uri http://localhost:3000/csp;
Attachments
Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-09-22 02:27:18 PDT
It looks like this was added in http://wkrev.com/116268, which I think is just after the revision of WebCore that Safari is using. ToT has the wrapper object, as evidenced by the current set of test expectations. http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt for example.
Alexey Proskuryakov
Comment 2 2012-09-22 08:33:02 PDT
Thanks Mike - since this is fixed in WebKit, marking WORKSFORME. We do not track integration of WebKit into vendor releases. Adam, please feel free to verify the fix with a nightly build: <http://nightly.webkit.org>.
Mike West
Comment 3 2012-09-22 08:41:44 PDT
(In reply to comment #2) > Thanks Mike - since this is fixed in WebKit, marking WORKSFORME. We do not track integration of WebKit into vendor releases. > > Adam, please feel free to verify the fix with a nightly build: <http://nightly.webkit.org>. What's the proper channel for a Safari-specific report? Radar?
Alexey Proskuryakov
Comment 4 2012-09-22 12:27:43 PDT
> What's the proper channel for a Safari-specific report? Radar? Yes, that's correct - <http://bugreport.apple.com>. Generally, one may want to file a bug with Apple about something that's already fixed in WebKit if that issue needs to be addressed sooner that it would happen "naturally" when shipping a release that includes newer WebKit. It's important to explain the urgency then.
Mike West
Comment 5 2012-09-22 12:42:49 PDT
(In reply to comment #4) > > What's the proper channel for a Safari-specific report? Radar? > > Yes, that's correct - <http://bugreport.apple.com>. > > Generally, one may want to file a bug with Apple about something that's already fixed in WebKit if that issue needs to be addressed sooner that it would happen "naturally" when shipping a release that includes newer WebKit. It's important to explain the urgency then. Fair enough. Thanks Alexey.
Note You need to log in before you can comment on or make changes to this bug.