[webkit-changes] [207624] branches/safari-602-branch

Thu, 20 Oct 2016 10:44:13 -0700

Title: [207624] branches/safari-602-branch
Revision
207624
Author
dba...@webkit.org
Date
2016-10-20 10:44:37 -0700 (Thu, 20 Oct 2016)

Log Message

Merge r206809. rdar://problem/28718761


Modified Paths




Added Paths

Diff

Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/ChangeLog	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/ChangeLog	2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,75 @@
+2016-10-20  Daniel Bates  <daba...@apple.com>
+
+        Merge r206809. rdar://problem/28718761
+
+    2016-10-05  Daniel Bates  <daba...@apple.com>
+
+            Do not follow redirects when sending violation report
+            https://bugs.webkit.org/show_bug.cgi?id=162520
+            <rdar://problem/27957639>
+
+            Reviewed by Alex Christensen.
+
+            Add tests for Content Security Policy and XSS Auditor to ensure that we do not follow redirects
+            when sending a violation report. Modified http/tests/security/contentSecurityPolicy/resources/save-report.php
+            to save the URL of the original ping request and conditionally clear cookies. Modified
+            http/tests/security/xssAuditor/resources/echo-intertag.pl to support testing for the XSS Auditor.
+            These changes together with the existing HTTP Host information that is saved with the report we can detect
+            if a redirect occurred when saving a report.
+
+            Updated expected results of existing tests now that we emit the URL of the ping request in the saved report.
+
+            * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+            * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+            * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php: Added.
+            * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt:
+            * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+            * http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php: Added.
+            * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+            * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+            * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html: Added.
+            * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+            * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+            * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html: Added.
+            * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+            * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+            * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+
 2016-10-20  Matthew Hanson  <matthew_hanson>
 
         Merge r206217. rdar://problem/28811877

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CSP report received:
 CONTENT_TYPE: application/csp-report
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
 === POST DATA =""
 {"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-f
 rame-ancestors-cross-origin.html&q=FAIL","status-code":0}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CSP report received:
 CONTENT_TYPE: application/csp-report
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
 === POST DATA =""
 {"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report
 -frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CSP report received:
 CONTENT_TYPE: application/csp-report
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-fra
 me-ancestors-same-origin.html&q=FAIL","status-code":0}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CSP report received:
 CONTENT_TYPE: application/csp-report
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
 === POST DATA =""
 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-f
 rame-ancestors-same-origin.html&q=FAIL","status-code":0}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -5,5 +5,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9,"column-number":26}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,25 @@
+<?php
+header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<img src="" <!-- Trigger CSP violation -->
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+    window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+}
+
+// We assume that if redirects were followed when saving the report that they will complete within one second.
+// FIXME: Is there are better way to test that a redirect did not occur?
+window.setTimeout(navigateToReport, 1000);
+</script>
+</body>
+</html>

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -5,5 +5,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
 HTTP_COOKIE: hello=world
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 HTTP_COOKIE: hello=world
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
 === POST DATA =""
 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -8,5 +8,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"","status-code":200}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","line-number":7,"column-number":10}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3,"column-number":2}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
 === POST DATA =""
 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"","status-code":200}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,9 @@
+<?php
+require_once "report-file-path.php";
+
+$DO_NOT_CLEAR_COOKIES = true; // Used by save-report.php
+require_once "save-report.php";
+
+header("HTTP/1.1 307");
+header("Location: save-report.php" . (isset($_SERVER["QUERY_STRING"]) ? "?" . $_SERVER["QUERY_STRING"] : ""));
+?>

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php	2016-10-20 17:44:37 UTC (rev 207624)
@@ -11,17 +11,19 @@
 $httpHeaders = $_SERVER;
 ksort($httpHeaders, SORT_STRING);
 foreach ($httpHeaders as $name => $value) {
-    if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
+    if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "REQUEST_URI") {
         $value = undoMagicQuotes($value);
         fwrite($reportFile, "$name: $value\n");
     }
 }
 
-foreach ($_COOKIE as $name => $value)
-    setcookie($name, "deleted", time() - 60, "/");
-
 fwrite($reportFile, "=== POST DATA =""
 fwrite($reportFile, file_get_contents("php://input"));
 fclose($reportFile);
 rename($reportFilePath . ".tmp", $reportFilePath);
+
+if (!isset($DO_NOT_CLEAR_COOKIES) || !$DO_NOT_CLEAR_COOKIES) {
+    foreach ($_COOKIE as $name => $value)
+        setcookie($name, "deleted", time() - 60, "/");
+}
 ?>

Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA =""
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+    testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+    function navigateToReport() {
+        window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+    }
+    // We assume that if redirects were followed when saving the report that they will complete within one second.
+    // FIXME: Is there are better way to test that a redirect did not occur?
+    window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" name="frame" src="" you see this message, no _javascript_ alert(), and a dump of the report below, then the test PASSED.</p>" _onload_="done()">
+</iframe>
+</body>
+</html>

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
 CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag.html
 === POST DATA =""
 {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA =""
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}

Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html (0 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html	                        (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html	2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+    testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+    function navigateToReport() {
+        window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+    }
+    // We assume that if redirects were followed when saving the report that they will complete within one second.
+    // FIXME: Is there are better way to test that a redirect did not occur?
+    window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" src="" you see this message, no _javascript_ alert(), and a dump of the report below, then the test PASSED.</p>" _onload_="done()">
+</iframe>
+</body>
+</html>

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
 CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-full-block.html
 === POST DATA =""
 {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt	2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
 CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-replace-state.html
 === POST DATA =""
 {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}

Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (207623 => 207624)


--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl	2016-10-20 17:44:37 UTC (rev 207624)
@@ -19,7 +19,14 @@
 if ($cgi->param('enable-full-block-report')) {
     print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report.php?test=" . $cgi->param('test') . "\n";
 }
+if ($cgi->param('enable-report-with-redirect')) {
+    print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
+if ($cgi->param('enable-full-block-report-with-redirect')) {
+    print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
 
+
 if ($cgi->param('valid-header')) {
     if ($cgi->param('valid-header') == 1) {
         print "X-XSS-Protection:   1  ;MoDe =  bLocK   \n";
@@ -128,7 +135,7 @@
     print "    testRunner.notifyDone();\n";
     print "</script>\n";
 }
-if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report')) {
+if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report') || $cgi->param('enable-full-block-report-with-redirect')) {
     print "<p>If you see this message then the test FAILED.</p>\n";
 }
 if ($cgi->param('alert-cookie')) {

Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207623 => 207624)


--- branches/safari-602-branch/Source/WebCore/ChangeLog	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog	2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,45 @@
+2016-10-20  Daniel Bates  <daba...@apple.com>
+
+        Merge r206809. rdar://problem/28718761
+
+    2016-10-05  Daniel Bates  <daba...@apple.com>
+
+            Do not follow redirects when sending violation report
+            https://bugs.webkit.org/show_bug.cgi?id=162520
+            <rdar://problem/27957639>
+
+            Reviewed by Alex Christensen.
+
+            Do not follow redirects when sending a Content Security Policy or XSS Auditor violation report
+            as redirects can be used to forward report details to a third-party.
+
+            This changes makes WebKit more closely conform to the reporting requirements in section Reporting
+            of the Content Security Level 2 standard: <https://w3c.github.io/webappsec-csp/2/#violation-reports>
+            (Editor's Draft, 25 April 2016).
+
+            Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+                   http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+                   http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+
+            * loader/LoaderStrategy.h: Modified createPingHandle() to take a boolean, shouldFollowRedirects,
+            whether to follow redirect responses for a ping request.
+            * loader/PingLoader.cpp:
+            (WebCore::PingLoader::loadImage): Pass ShouldFollowRedirects::Yes to PingLoader::startPingLoad to
+            keep our current behavior.
+            (WebCore::PingLoader::sendPing): Ditto. Note our current behavior of following redirects matches
+            the behavior described in the section "Hyperlink auditing" of the HTML standard:
+            <https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing> (23 September 2016).
+            (WebCore::PingLoader::sendViolationReport): Pass ShouldFollowRedirects::No to PingLoader::startPingLoad
+            so that we do not follow redirects when sending a violation report.
+            (WebCore::PingLoader::startPingLoad): Modified to take argument shouldFollowRedirects whether to
+            follow redirect responses for a ping request.
+            * loader/PingLoader.h:
+            * platform/network/PingHandle.h: Add boolean m_shouldFollowRedirects. I grouped this boolean with
+            the existing boolean, m_shouldUseCredentialStorage, as opposed to appending to the end of the class
+            definition to avoid increasing object size as clang will coalesces the two bools into a single
+            machine word. Override ResourceHandleClient::willSendRequest() and ResourceHandleClient::willSendRequestAsync()
+            to follow a redirect, if applicable. 
+
 2016-10-20  Matthew Hanson  <matthew_hanson>
 
         Merge r206217. rdar://problem/28811877

Modified: branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -59,7 +59,7 @@
     virtual void suspendPendingRequests() = 0;
     virtual void resumePendingRequests() = 0;
 
-    virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage) = 0;
+    virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) = 0;
 
 protected:
     virtual ~LoaderStrategy();

Modified: branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp (207623 => 207624)


--- branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp	2016-10-20 17:44:37 UTC (rev 207624)
@@ -91,7 +91,7 @@
         request.setHTTPReferrer(referrer);
     frame.loader().addExtraFieldsToSubresourceRequest(request);
 
-    startPingLoad(frame, request);
+    startPingLoad(frame, request, ShouldFollowRedirects::Yes);
 }
 
 // http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#hyperlink-auditing
@@ -128,7 +128,7 @@
         }
     }
 
-    startPingLoad(frame, request);
+    startPingLoad(frame, request, ShouldFollowRedirects::Yes);
 }
 
 void PingLoader::sendViolationReport(Frame& frame, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType reportType)
@@ -170,10 +170,10 @@
     if (!referrer.isEmpty())
         request.setHTTPReferrer(referrer);
 
-    startPingLoad(frame, request);
+    startPingLoad(frame, request, ShouldFollowRedirects::No);
 }
 
-void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request)
+void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request, ShouldFollowRedirects shouldFollowRedirects)
 {
     unsigned long identifier = frame.page()->progress().createUniqueIdentifier();
     // FIXME: Why activeDocumentLoader? I would have expected documentLoader().
@@ -185,7 +185,7 @@
 
     InspectorInstrumentation::continueAfterPingLoader(frame, identifier, frame.loader().activeDocumentLoader(), request, ResourceResponse());
 
-    platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage);
+    platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage, shouldFollowRedirects == ShouldFollowRedirects::Yes);
 }
 
 }

Modified: branches/safari-602-branch/Source/WebCore/loader/PingLoader.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebCore/loader/PingLoader.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/PingLoader.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -53,7 +53,8 @@
     static void sendViolationReport(Frame&, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType);
 
 private:
-    static void startPingLoad(Frame&, ResourceRequest&);
+    enum class ShouldFollowRedirects { No, Yes };
+    static void startPingLoad(Frame&, ResourceRequest&, ShouldFollowRedirects);
 };
 
 }

Modified: branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -43,9 +43,10 @@
         No,
     };
     
-    PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks)
+    PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks, bool shouldFollowRedirects)
         : m_timeoutTimer(*this, &PingHandle::timeoutTimerFired)
         , m_shouldUseCredentialStorage(shouldUseCredentialStorage)
+        , m_shouldFollowRedirects(shouldFollowRedirects)
         , m_usesAsyncCallbacks(useAsyncCallbacks)
     {
         m_handle = ResourceHandle::create(networkingContext, request, this, false, false);
@@ -56,6 +57,18 @@
     }
 
 private:
+    ResourceRequest willSendRequest(ResourceHandle*, ResourceRequest&& request, ResourceResponse&&) final
+    {
+        return m_shouldFollowRedirects ? request : ResourceRequest();
+    }
+    void willSendRequestAsync(ResourceHandle* handle, ResourceRequest&& request, ResourceResponse&&) final
+    {
+        if (m_shouldFollowRedirects) {
+            handle->continueWillSendRequest(WTFMove(request));
+            return;
+        }
+        delete this;
+    }
     void didReceiveResponse(ResourceHandle*, ResourceResponse&&) override { delete this; }
     void didReceiveBuffer(ResourceHandle*, Ref<SharedBuffer>&&, int) override { delete this; };
     void didFinishLoading(ResourceHandle*, double) override { delete this; }
@@ -76,6 +89,7 @@
     RefPtr<ResourceHandle> m_handle;
     Timer m_timeoutTimer;
     bool m_shouldUseCredentialStorage;
+    bool m_shouldFollowRedirects;
     UsesAsyncCallbacks m_usesAsyncCallbacks;
 };

Modified: branches/safari-602-branch/Source/WebKit/ChangeLog (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit/ChangeLog	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/ChangeLog	2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,23 @@
+2016-10-20  Daniel Bates  <daba...@apple.com>
+
+        Merge r206809. rdar://problem/28718761
+
+    2016-10-05  Daniel Bates  <daba...@apple.com>
+
+            Do not follow redirects when sending violation report
+            https://bugs.webkit.org/show_bug.cgi?id=162520
+            <rdar://problem/27957639>
+
+            Reviewed by Alex Christensen.
+
+            Update implementation of legacy WebKit loader strategy to pass through a boolean,
+            shouldFollowRedirects, to PingHandle as to whether to follow redirect responses
+            for a ping request.
+
+            * WebCoreSupport/WebResourceLoadScheduler.cpp:
+            (WebResourceLoadScheduler::createPingHandle):
+            * WebCoreSupport/WebResourceLoadScheduler.h:
+
 2016-07-14  Alex Christensen  <achristen...@webkit.org>
 
         Use SocketProvider to create SocketStreamHandles

Modified: branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp	2016-10-20 17:44:37 UTC (rev 207624)
@@ -375,9 +375,9 @@
     return m_requestsLoading.size() >= (webResourceLoadScheduler().isSerialLoadingEnabled() ? 1 : m_maxRequestsInFlight);
 }
 
-void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
+void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
 {
     // PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
-    new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No);
+    new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No, shouldFollowRedirects);
 }

Modified: branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -55,7 +55,7 @@
     void suspendPendingRequests() override;
     void resumePendingRequests() override;
 
-    void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
+    void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
 
     bool isSerialLoadingEnabled() const { return m_isSerialLoadingEnabled; }
     void setSerialLoadingEnabled(bool b) { m_isSerialLoadingEnabled = b; }

Modified: branches/safari-602-branch/Source/WebKit2/ChangeLog (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/ChangeLog	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/ChangeLog	2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,33 @@
+2016-10-20  Daniel Bates  <daba...@apple.com>
+
+        Merge r206809. rdar://problem/28718761
+
+    2016-10-05  Daniel Bates  <daba...@apple.com>
+
+            Do not follow redirects when sending violation report
+            https://bugs.webkit.org/show_bug.cgi?id=162520
+            <rdar://problem/27957639>
+
+            Reviewed by Alex Christensen.
+
+            Update the non-Network Session WebKit2 implementation to follow redirect responses for a ping
+            request, if applicable. I did not update the Network Session implementation at this time. I
+            will fix it in <https://bugs.webkit.org/show_bug.cgi?id=162580>.
+
+            * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+            (WebKit::NetworkConnectionToWebProcess::loadPing): Tell PingHandle whether to follow redirects.
+            * NetworkProcess/NetworkLoadParameters.h:
+            * NetworkProcess/NetworkResourceLoadParameters.cpp:
+            (WebKit::NetworkResourceLoadParameters::encode): Encode NetworkResourceLoadParameters::shouldFollowRedirects.
+            (WebKit::NetworkResourceLoadParameters::decode): Decode NetworkResourceLoadParameters::shouldFollowRedirects.
+            * NetworkProcess/PingLoad.h: Added FIXME comment to implement support for following redirects,
+            if applicable (for hyperlink auditing). See <https://bugs.webkit.org/show_bug.cgi?id=162580>
+            for more details.
+            * WebProcess/Network/WebLoaderStrategy.cpp:
+            (WebKit::WebLoaderStrategy::createPingHandle): Modified to take a boolean whether to follow
+            redirects responses and set NetworkResourceLoadParameters::shouldFollowRedirects as appropriate.
+            * WebProcess/Network/WebLoaderStrategy.h:
+
 2016-10-20  Matthew Hanson  <matthew_hanson>
 
         Merge r206413. rdar://problem/28744171

Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp	2016-10-20 17:44:37 UTC (rev 207624)
@@ -144,7 +144,7 @@
     RefPtr<NetworkingContext> context = RemoteNetworkingContext::create(loadParameters.sessionID, loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect);
 
     // PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
-    new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes);
+    new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes, loadParameters.shouldFollowRedirects);
 #endif
 }

Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -41,6 +41,7 @@
     WebCore::ContentSniffingPolicy contentSniffingPolicy { WebCore::SniffContent };
     WebCore::StoredCredentials allowStoredCredentials { WebCore::DoNotAllowStoredCredentials };
     WebCore::ClientCredentialPolicy clientCredentialPolicy { WebCore::DoNotAskClientForAnyCredentials };
+    bool shouldFollowRedirects { true };
     bool shouldClearReferrerOnHTTPSToHTTPRedirect { true };
     bool defersLoading { false };
     bool needsCertificateInfo { false };

Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp	2016-10-20 17:44:37 UTC (rev 207624)
@@ -75,6 +75,7 @@
     encoder.encodeEnum(contentSniffingPolicy);
     encoder.encodeEnum(allowStoredCredentials);
     encoder.encodeEnum(clientCredentialPolicy);
+    encoder << shouldFollowRedirects;
     encoder << shouldClearReferrerOnHTTPSToHTTPRedirect;
     encoder << defersLoading;
     encoder << needsCertificateInfo;
@@ -130,6 +131,8 @@
         return false;
     if (!decoder.decodeEnum(result.clientCredentialPolicy))
         return false;
+    if (!decoder.decode(result.shouldFollowRedirects))
+        return false;
     if (!decoder.decode(result.shouldClearReferrerOnHTTPSToHTTPRedirect))
         return false;
     if (!decoder.decode(result.defersLoading))

Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -50,6 +50,7 @@
 private:
     void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&& completionHandler) override
     {
+        // FIXME: Follow redirects for hyperlink auditing. See <https://bugs.webkit.org/show_bug.cgi?id=162580>.
         completionHandler({ });
         delete this;
     }

Modified: branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp	2016-10-20 17:44:37 UTC (rev 207624)
@@ -331,7 +331,7 @@
     }
 }
 
-void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
+void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
 {
     // It's possible that call to createPingHandle might be made during initial empty Document creation before a NetworkingContext exists.
     // It is not clear that we should send ping loads during that process anyways.
@@ -347,6 +347,7 @@
     loadParameters.request = request;
     loadParameters.sessionID = webPage ? webPage->sessionID() : SessionID::defaultSessionID();
     loadParameters.allowStoredCredentials = shouldUseCredentialStorage ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+    loadParameters.shouldFollowRedirects = shouldFollowRedirects;
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = networkingContext->shouldClearReferrerOnHTTPSToHTTPRedirect();
 
     WebProcess::singleton().networkConnection().connection().send(Messages::NetworkConnectionToWebProcess::LoadPing(loadParameters), 0);

Modified: branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h (207623 => 207624)


--- branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h	2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h	2016-10-20 17:44:37 UTC (rev 207624)
@@ -55,7 +55,7 @@
     void suspendPendingRequests() override;
     void resumePendingRequests() override;
 
-    void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
+    void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
 
     WebResourceLoader* webResourceLoaderForIdentifier(ResourceLoadIdentifier identifier) const { return m_webResourceLoaders.get(identifier); }
     RefPtr<WebCore::NetscapePlugInStreamLoader> schedulePluginStreamLoad(WebCore::Frame&, WebCore::NetscapePlugInStreamLoaderClient&, const WebCore::ResourceRequest&);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to