Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,5 +1,62 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: report-url directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154307
+ <rdar://problem/24684817>
+
+ Reviewed by Brent Fulgham.
+
+ Add new test http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html and rename and modify
+ existing tests to make them PHP scripts that emit a Content Security Policy HTTP header.
+
+ In addition, remove file http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html that
+ is no longer meaningful now that we do not honor the report-uri directive defined in a policy via a meta
+ element. Moreover, we have not made use of this file since <http://trac.webkit.org/changeset/176413>.
+
+ * TestExpectations: Update entries for renames.
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html.
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html.
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html.
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html.
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html.
+ * http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html: Removed.
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php: Added.
+ * http/tests/security/contentSecurityPolicy/report-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html.
+ * http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html: Removed. For completeness, we have
+ not made use of this file since <http://trac.webkit.org/changeset/176413>.
+ * http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php:
+ * http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html.
+ * platform/wk2/TestExpectations: Update entries for renames.
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154299
<rdar://problem/24680433>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:25:12 UTC (rev 197082)
@@ -808,9 +808,9 @@
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]
-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html [ Failure ]
-webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html [ Failure ]
+webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php [ Failure ]
+webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php [ Failure ]
+webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php [ Failure ]
webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
@@ -831,17 +831,17 @@
webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri.html [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri.php [ Failure ]
webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only-from-header.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only.html [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only.php [ Failure ]
webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-and-enforce.php [ Failure ]
+webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php [ Failure ]
http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -5,7 +5,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,16 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
- <meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
-</head>
-<body>
- This image should be blocked, but should not show up in the violation report.
- <img src=""
- <script>
- // This script block will trigger a violation report but shouldn't be blocked.
- alert('PASS');
- </script>
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,18 @@
+<?php
+ header("Content-Security-Policy-Report-Only: script-src 'self'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+</head>
+<body>
+ This image should be blocked, but should not show up in the violation report.
+ <img src=""
+ <script>
+ // This script block will trigger a violation report but shouldn't be blocked.
+ alert('PASS');
+ </script>
+ <script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
-</head>
-<body>
- <img src=""
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,10 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <img src=""
+ <script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,17 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
-</head>
-<body>
- <script>
- testRunner.addOriginAccessWhitelistEntry('http://127.0.0.1:8000', 'file', '', true);
- var localImageLocation = testRunner.pathToLocalResource('file:///tmp/LayoutTests/http/tests/security/resources/compass.jpg');
-
- var localImageElement = document.createElement('img');
- localImageElement.src = ""
- document.body.appendChild(localImageElement);
- </script>
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,17 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <script>
+ testRunner.addOriginAccessWhitelistEntry('http://127.0.0.1:8000', 'file', '', true);
+ var localImageLocation = testRunner.pathToLocalResource('file:///tmp/LayoutTests/http/tests/security/resources/compass.jpg');
+
+ var localImageElement = document.createElement('img');
+ localImageElement.src = ""
+ document.body.appendChild(localImageElement);
+ </script>
+ <script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,4 +0,0 @@
-<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
-The origin of this image should show up in the violation report.
-<img src=""
-<script src=""
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,6 @@
+<?php
+ header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/save-report.php");
+?>
+The origin of this image should show up in the violation report.
+<img src=""
+<script src=""
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,4 +0,0 @@
-<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
-The URI of this image should show up in the violation report.
-<img src=""
-<script src=""
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,6 @@
+<?php
+ header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/save-report.php");
+?>
+The URI of this image should show up in the violation report.
+<img src=""
+<script src=""
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- if (window.testRunner)
- testRunner.setPrivateBrowsingEnabled(true);
-
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,22 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- // Normal browsing mode
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-
- if (window.testRunner)
- testRunner.setPrivateBrowsingEnabled(true);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,23 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ // Normal browsing mode
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,19 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -3,7 +3,7 @@
ALERT: PASS
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +0,0 @@
-<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
-<script>
-// This script block will trigger a violation report but shouldn't be blocked.
-alert('PASS');
-</script>
-<script src=""
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,8 @@
+<?php
+ header("Content-Security-Policy-Report-Only: script-src 'self'; report-uri resources/save-report.php");
+?>
+<script>
+// This script block will trigger a violation report but shouldn't be blocked.
+alert('PASS');
+</script>
+<script src=""
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +1,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- // Normal browsing mode
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-
- if (window.testRunner)
- testRunner.setPrivateBrowsingEnabled(true);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,23 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ // Normal browsing mode
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -3,7 +3,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_COOKIE: hello=world
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,7 +1,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_COOKIE: hello=world
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- if (window.testRunner)
- testRunner.setPrivateBrowsingEnabled(true);
-
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,22 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
-</head>
-<body>
-<script>
- var xhr = new XMLHttpRequest();
- xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
- xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
- xhr.send(null);
-</script>
-
-<!-- This image will generate a CSP violation report. -->
-<img src=""
-
-<script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,19 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,15 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
-</head>
-<body>
- <script>
- // This script block will trigger a violation report.
- var i = document.createElement('img');
- i.src = '';
- document.body.appendChild(i);
- </script>
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,15 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ var i = document.createElement('img');
+ i.src = '';
+ document.body.appendChild(i);
+ </script>
+ <script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
-</head>
-<body>
- <script src=""
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,10 @@
+<?php
+ header("Content-Security-Policy: img-src 'none'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <script src=""
+ <script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: The Content Security Policy directive 'report-uri' is ignored when delivered via an HTML meta element.
+This tests that a console message is logged to explain that the Content Security Policy report-uri directive is ignored when contained in a policy defined via an HTML meta element.
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="report-uri /security/contentSecurityPolicy/resources/save-report.php">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that a console message is logged to explain that the Content Security Policy <code>report-uri</code> directive is ignored when contained in a policy defined via an HTML meta element.</p>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
@@ -2,7 +2,7 @@
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.html","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +0,0 @@
-<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php">
-<script>
-// This script block will trigger a violation report.
-alert('FAIL');
-</script>
-<script src=""
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,8 @@
+<?php
+ header("Content-Security-Policy: script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php");
+?>
+<script>
+// This script block will trigger a violation report.
+alert('FAIL');
+</script>
+<script src=""
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +0,0 @@
-<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri resources/save-report.php">
-<script>
-// This script block will trigger a violation report.
-alert('FAIL');
-</script>
-<script src=""
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,8 @@
+<?php
+ header("Content-Security-Policy: script-src 'self'; report-uri resources/save-report.php");
+?>
+<script>
+// This script block will trigger a violation report.
+alert('FAIL');
+</script>
+<script src=""
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,6 +0,0 @@
-<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=generate-csp-report.html">
-<script>
-// This script block will trigger a violation report.
-alert('FAIL');
-</script>
-<script src=""
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,4 +1,6 @@
-<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php?test=<?php echo $_GET['test']; ?>">
+<?php
+ header("Content-Security-Policy: script-src 'self'; report-uri save-report.php?test=" . $_GET['test']);
+?>
<script>
// This script block will trigger a violation report.
alert('FAIL');
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,16 +0,0 @@
-<html>
-<head>
-<meta content="font-src http://webkit.org; report-uri http://webkit.org/report;" http-equiv="Content-Security-Policy">
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- testRunner.addUserStyleSheet("@font-face { font-family: ExampleFont; src: url(example_font.woff); }", true);
-}
-</script>
-</head>
-<body>
-The iframe below triggers a violation report creating the initial empty document. It should not crash the web process.<br>
-<iframe src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php (from rev 197081, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html) (0 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php 2016-02-25 10:25:12 UTC (rev 197082)
@@ -0,0 +1,18 @@
+<?php
+ header("Content-Security-Policy: font-src http://webkit.org; report-uri http://webkit.org/report;");
+?>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.addUserStyleSheet("@font-face { font-family: ExampleFont; src: url(example_font.woff); }", true);
+}
+</script>
+</head>
+<body>
+The iframe below triggers a violation report creating the initial empty document. It should not crash the web process.<br>
+<iframe src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations 2016-02-25 10:25:12 UTC (rev 197082)
@@ -714,10 +714,10 @@
# WebKitTestRunner testRunner.setPrivateBrowsingEnabled doesn't work with NetworkProcess.
# We explicitly Skip the following tests instead of marking them as Failure because some of these tests will naturally pass
# as a consequence of testRunner.setPrivateBrowsingEnabled() effectively being a no-op as of the time of writing (07/08/2015).
-webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html [ Skip ]
-webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html [ Skip ]
-webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html [ Skip ]
-webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php [ Skip ]
# Legacy IndexedDB will never properly support IDB in private browsing
imported/w3c/indexeddb/abort-in-initial-upgradeneeded-private.html [ Skip ]
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:25:12 UTC (rev 197082)
@@ -1,5 +1,27 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: report-url directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154307
+ <rdar://problem/24684817>
+
+ Reviewed by Brent Fulgham.
+
+ The Content Security Policy report-uri directive should only be honored when defined via an HTTP header
+ as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Currently we honor the report-uri directive when enforcing or monitoring a policy defined either via
+ an HTML meta element or an HTTP header. Instead we should only honor this directive when defined
+ via an HTTP header and log a message to the Web Inspector console to explain that the directive
+ was ignored as suggested in <https://www.w3.org/TR/2015/CR-CSP2-20150721/#delivery-html-meta-element>.
+
+ Test: http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::parse): Modified to ignore the directive report-uri when
+ the Content Security Policy came from an HTML meta element.
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154299
<rdar://problem/24680433>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197081 => 197082)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:23:58 UTC (rev 197081)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:25:12 UTC (rev 197082)
@@ -408,8 +408,7 @@
ASSERT(!name.isEmpty());
switch (policyFrom) {
case ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta:
- // FIXME: We also need to ignore directive report-uri (https://bugs.webkit.org/show_bug.cgi?id=154307).
- if (equalLettersIgnoringASCIICase(name, sandbox)) {
+ if (equalLettersIgnoringASCIICase(name, sandbox) || equalLettersIgnoringASCIICase(name, reportURI)) {
m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
break;
}