Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,75 @@
+2016-10-20 Daniel Bates <daba...@apple.com>
+
+ Merge r206809. rdar://problem/28718761
+
+ 2016-10-05 Daniel Bates <daba...@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Add tests for Content Security Policy and XSS Auditor to ensure that we do not follow redirects
+ when sending a violation report. Modified http/tests/security/contentSecurityPolicy/resources/save-report.php
+ to save the URL of the original ping request and conditionally clear cookies. Modified
+ http/tests/security/xssAuditor/resources/echo-intertag.pl to support testing for the XSS Auditor.
+ These changes together with the existing HTTP Host information that is saved with the report we can detect
+ if a redirect occurred when saving a report.
+
+ Updated expected results of existing tests now that we emit the URL of the ping request in the saved report.
+
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+ * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html: Added.
+ * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html: Added.
+ * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+
2016-10-20 Matthew Hanson <matthew_hanson>
Merge r206217. rdar://problem/28811877
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
=== POST DATA =""
{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-f
rame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
=== POST DATA =""
{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report
-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-fra
me-ancestors-same-origin.html&q=FAIL","status-code":0}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CSP report received:
CONTENT_TYPE: application/csp-report
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
=== POST DATA =""
{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-f
rame-ancestors-same-origin.html&q=FAIL","status-code":0}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -5,5 +5,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9,"column-number":26}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,25 @@
+<?php
+header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<img src="" <!-- Trigger CSP violation -->
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+}
+
+// We assume that if redirects were followed when saving the report that they will complete within one second.
+// FIXME: Is there are better way to test that a redirect did not occur?
+window.setTimeout(navigateToReport, 1000);
+</script>
+</body>
+</html>
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -5,5 +5,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -2,5 +2,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -4,5 +4,6 @@
HTTP_COOKIE: hello=world
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
HTTP_COOKIE: hello=world
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
=== POST DATA =""
{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -8,5 +8,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"","status-code":200}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","line-number":7,"column-number":10}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3,"column-number":2}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/csp-report
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
=== POST DATA =""
{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"","status-code":200}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,9 @@
+<?php
+require_once "report-file-path.php";
+
+$DO_NOT_CLEAR_COOKIES = true; // Used by save-report.php
+require_once "save-report.php";
+
+header("HTTP/1.1 307");
+header("Location: save-report.php" . (isset($_SERVER["QUERY_STRING"]) ? "?" . $_SERVER["QUERY_STRING"] : ""));
+?>
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-10-20 17:44:37 UTC (rev 207624)
@@ -11,17 +11,19 @@
$httpHeaders = $_SERVER;
ksort($httpHeaders, SORT_STRING);
foreach ($httpHeaders as $name => $value) {
- if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
+ if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "REQUEST_URI") {
$value = undoMagicQuotes($value);
fwrite($reportFile, "$name: $value\n");
}
}
-foreach ($_COOKIE as $name => $value)
- setcookie($name, "deleted", time() - 60, "/");
-
fwrite($reportFile, "=== POST DATA =""
fwrite($reportFile, file_get_contents("php://input"));
fclose($reportFile);
rename($reportFilePath . ".tmp", $reportFilePath);
+
+if (!isset($DO_NOT_CLEAR_COOKIES) || !$DO_NOT_CLEAR_COOKIES) {
+ foreach ($_COOKIE as $name => $value)
+ setcookie($name, "deleted", time() - 60, "/");
+}
?>
Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA =""
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+ function navigateToReport() {
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+ }
+ // We assume that if redirects were followed when saving the report that they will complete within one second.
+ // FIXME: Is there are better way to test that a redirect did not occur?
+ window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" name="frame" src="" you see this message, no _javascript_ alert(), and a dump of the report below, then the test PASSED.</p>" _onload_="done()">
+</iframe>
+</body>
+</html>
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag.html
=== POST DATA =""
{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA =""
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
Added: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html (0 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html 2016-10-20 17:44:37 UTC (rev 207624)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+ function navigateToReport() {
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+ }
+ // We assume that if redirects were followed when saving the report that they will complete within one second.
+ // FIXME: Is there are better way to test that a redirect did not occur?
+ window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" src="" you see this message, no _javascript_ alert(), and a dump of the report below, then the test PASSED.</p>" _onload_="done()">
+</iframe>
+</body>
+</html>
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -3,5 +3,6 @@
CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-full-block.html
=== POST DATA =""
{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-10-20 17:44:37 UTC (rev 207624)
@@ -10,5 +10,6 @@
CONTENT_TYPE: application/json
HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-replace-state.html
=== POST DATA =""
{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (207623 => 207624)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-10-20 17:44:37 UTC (rev 207624)
@@ -19,7 +19,14 @@
if ($cgi->param('enable-full-block-report')) {
print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report.php?test=" . $cgi->param('test') . "\n";
}
+if ($cgi->param('enable-report-with-redirect')) {
+ print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
+if ($cgi->param('enable-full-block-report-with-redirect')) {
+ print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
+
if ($cgi->param('valid-header')) {
if ($cgi->param('valid-header') == 1) {
print "X-XSS-Protection: 1 ;MoDe = bLocK \n";
@@ -128,7 +135,7 @@
print " testRunner.notifyDone();\n";
print "</script>\n";
}
-if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report')) {
+if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report') || $cgi->param('enable-full-block-report-with-redirect')) {
print "<p>If you see this message then the test FAILED.</p>\n";
}
if ($cgi->param('alert-cookie')) {
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207623 => 207624)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,45 @@
+2016-10-20 Daniel Bates <daba...@apple.com>
+
+ Merge r206809. rdar://problem/28718761
+
+ 2016-10-05 Daniel Bates <daba...@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Do not follow redirects when sending a Content Security Policy or XSS Auditor violation report
+ as redirects can be used to forward report details to a third-party.
+
+ This changes makes WebKit more closely conform to the reporting requirements in section Reporting
+ of the Content Security Level 2 standard: <https://w3c.github.io/webappsec-csp/2/#violation-reports>
+ (Editor's Draft, 25 April 2016).
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+ http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+ http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+
+ * loader/LoaderStrategy.h: Modified createPingHandle() to take a boolean, shouldFollowRedirects,
+ whether to follow redirect responses for a ping request.
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::loadImage): Pass ShouldFollowRedirects::Yes to PingLoader::startPingLoad to
+ keep our current behavior.
+ (WebCore::PingLoader::sendPing): Ditto. Note our current behavior of following redirects matches
+ the behavior described in the section "Hyperlink auditing" of the HTML standard:
+ <https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing> (23 September 2016).
+ (WebCore::PingLoader::sendViolationReport): Pass ShouldFollowRedirects::No to PingLoader::startPingLoad
+ so that we do not follow redirects when sending a violation report.
+ (WebCore::PingLoader::startPingLoad): Modified to take argument shouldFollowRedirects whether to
+ follow redirect responses for a ping request.
+ * loader/PingLoader.h:
+ * platform/network/PingHandle.h: Add boolean m_shouldFollowRedirects. I grouped this boolean with
+ the existing boolean, m_shouldUseCredentialStorage, as opposed to appending to the end of the class
+ definition to avoid increasing object size as clang will coalesces the two bools into a single
+ machine word. Override ResourceHandleClient::willSendRequest() and ResourceHandleClient::willSendRequestAsync()
+ to follow a redirect, if applicable.
+
2016-10-20 Matthew Hanson <matthew_hanson>
Merge r206217. rdar://problem/28811877
Modified: branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/LoaderStrategy.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -59,7 +59,7 @@
virtual void suspendPendingRequests() = 0;
virtual void resumePendingRequests() = 0;
- virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage) = 0;
+ virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) = 0;
protected:
virtual ~LoaderStrategy();
Modified: branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp (207623 => 207624)
--- branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/PingLoader.cpp 2016-10-20 17:44:37 UTC (rev 207624)
@@ -91,7 +91,7 @@
request.setHTTPReferrer(referrer);
frame.loader().addExtraFieldsToSubresourceRequest(request);
- startPingLoad(frame, request);
+ startPingLoad(frame, request, ShouldFollowRedirects::Yes);
}
// http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#hyperlink-auditing
@@ -128,7 +128,7 @@
}
}
- startPingLoad(frame, request);
+ startPingLoad(frame, request, ShouldFollowRedirects::Yes);
}
void PingLoader::sendViolationReport(Frame& frame, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType reportType)
@@ -170,10 +170,10 @@
if (!referrer.isEmpty())
request.setHTTPReferrer(referrer);
- startPingLoad(frame, request);
+ startPingLoad(frame, request, ShouldFollowRedirects::No);
}
-void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request)
+void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request, ShouldFollowRedirects shouldFollowRedirects)
{
unsigned long identifier = frame.page()->progress().createUniqueIdentifier();
// FIXME: Why activeDocumentLoader? I would have expected documentLoader().
@@ -185,7 +185,7 @@
InspectorInstrumentation::continueAfterPingLoader(frame, identifier, frame.loader().activeDocumentLoader(), request, ResourceResponse());
- platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage);
+ platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage, shouldFollowRedirects == ShouldFollowRedirects::Yes);
}
}
Modified: branches/safari-602-branch/Source/WebCore/loader/PingLoader.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebCore/loader/PingLoader.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/loader/PingLoader.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -53,7 +53,8 @@
static void sendViolationReport(Frame&, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType);
private:
- static void startPingLoad(Frame&, ResourceRequest&);
+ enum class ShouldFollowRedirects { No, Yes };
+ static void startPingLoad(Frame&, ResourceRequest&, ShouldFollowRedirects);
};
}
Modified: branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebCore/platform/network/PingHandle.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -43,9 +43,10 @@
No,
};
- PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks)
+ PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks, bool shouldFollowRedirects)
: m_timeoutTimer(*this, &PingHandle::timeoutTimerFired)
, m_shouldUseCredentialStorage(shouldUseCredentialStorage)
+ , m_shouldFollowRedirects(shouldFollowRedirects)
, m_usesAsyncCallbacks(useAsyncCallbacks)
{
m_handle = ResourceHandle::create(networkingContext, request, this, false, false);
@@ -56,6 +57,18 @@
}
private:
+ ResourceRequest willSendRequest(ResourceHandle*, ResourceRequest&& request, ResourceResponse&&) final
+ {
+ return m_shouldFollowRedirects ? request : ResourceRequest();
+ }
+ void willSendRequestAsync(ResourceHandle* handle, ResourceRequest&& request, ResourceResponse&&) final
+ {
+ if (m_shouldFollowRedirects) {
+ handle->continueWillSendRequest(WTFMove(request));
+ return;
+ }
+ delete this;
+ }
void didReceiveResponse(ResourceHandle*, ResourceResponse&&) override { delete this; }
void didReceiveBuffer(ResourceHandle*, Ref<SharedBuffer>&&, int) override { delete this; };
void didFinishLoading(ResourceHandle*, double) override { delete this; }
@@ -76,6 +89,7 @@
RefPtr<ResourceHandle> m_handle;
Timer m_timeoutTimer;
bool m_shouldUseCredentialStorage;
+ bool m_shouldFollowRedirects;
UsesAsyncCallbacks m_usesAsyncCallbacks;
};
Modified: branches/safari-602-branch/Source/WebKit/ChangeLog (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/ChangeLog 2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,23 @@
+2016-10-20 Daniel Bates <daba...@apple.com>
+
+ Merge r206809. rdar://problem/28718761
+
+ 2016-10-05 Daniel Bates <daba...@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Update implementation of legacy WebKit loader strategy to pass through a boolean,
+ shouldFollowRedirects, to PingHandle as to whether to follow redirect responses
+ for a ping request.
+
+ * WebCoreSupport/WebResourceLoadScheduler.cpp:
+ (WebResourceLoadScheduler::createPingHandle):
+ * WebCoreSupport/WebResourceLoadScheduler.h:
+
2016-07-14 Alex Christensen <achristen...@webkit.org>
Use SocketProvider to create SocketStreamHandles
Modified: branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp 2016-10-20 17:44:37 UTC (rev 207624)
@@ -375,9 +375,9 @@
return m_requestsLoading.size() >= (webResourceLoadScheduler().isSerialLoadingEnabled() ? 1 : m_maxRequestsInFlight);
}
-void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
+void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
{
// PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
- new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No);
+ new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No, shouldFollowRedirects);
}
Modified: branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -55,7 +55,7 @@
void suspendPendingRequests() override;
void resumePendingRequests() override;
- void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
+ void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
bool isSerialLoadingEnabled() const { return m_isSerialLoadingEnabled; }
void setSerialLoadingEnabled(bool b) { m_isSerialLoadingEnabled = b; }
Modified: branches/safari-602-branch/Source/WebKit2/ChangeLog (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/ChangeLog 2016-10-20 17:44:37 UTC (rev 207624)
@@ -1,3 +1,33 @@
+2016-10-20 Daniel Bates <daba...@apple.com>
+
+ Merge r206809. rdar://problem/28718761
+
+ 2016-10-05 Daniel Bates <daba...@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Update the non-Network Session WebKit2 implementation to follow redirect responses for a ping
+ request, if applicable. I did not update the Network Session implementation at this time. I
+ will fix it in <https://bugs.webkit.org/show_bug.cgi?id=162580>.
+
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::loadPing): Tell PingHandle whether to follow redirects.
+ * NetworkProcess/NetworkLoadParameters.h:
+ * NetworkProcess/NetworkResourceLoadParameters.cpp:
+ (WebKit::NetworkResourceLoadParameters::encode): Encode NetworkResourceLoadParameters::shouldFollowRedirects.
+ (WebKit::NetworkResourceLoadParameters::decode): Decode NetworkResourceLoadParameters::shouldFollowRedirects.
+ * NetworkProcess/PingLoad.h: Added FIXME comment to implement support for following redirects,
+ if applicable (for hyperlink auditing). See <https://bugs.webkit.org/show_bug.cgi?id=162580>
+ for more details.
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::WebLoaderStrategy::createPingHandle): Modified to take a boolean whether to follow
+ redirects responses and set NetworkResourceLoadParameters::shouldFollowRedirects as appropriate.
+ * WebProcess/Network/WebLoaderStrategy.h:
+
2016-10-20 Matthew Hanson <matthew_hanson>
Merge r206413. rdar://problem/28744171
Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp 2016-10-20 17:44:37 UTC (rev 207624)
@@ -144,7 +144,7 @@
RefPtr<NetworkingContext> context = RemoteNetworkingContext::create(loadParameters.sessionID, loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect);
// PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
- new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes);
+ new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes, loadParameters.shouldFollowRedirects);
#endif
}
Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -41,6 +41,7 @@
WebCore::ContentSniffingPolicy contentSniffingPolicy { WebCore::SniffContent };
WebCore::StoredCredentials allowStoredCredentials { WebCore::DoNotAllowStoredCredentials };
WebCore::ClientCredentialPolicy clientCredentialPolicy { WebCore::DoNotAskClientForAnyCredentials };
+ bool shouldFollowRedirects { true };
bool shouldClearReferrerOnHTTPSToHTTPRedirect { true };
bool defersLoading { false };
bool needsCertificateInfo { false };
Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp 2016-10-20 17:44:37 UTC (rev 207624)
@@ -75,6 +75,7 @@
encoder.encodeEnum(contentSniffingPolicy);
encoder.encodeEnum(allowStoredCredentials);
encoder.encodeEnum(clientCredentialPolicy);
+ encoder << shouldFollowRedirects;
encoder << shouldClearReferrerOnHTTPSToHTTPRedirect;
encoder << defersLoading;
encoder << needsCertificateInfo;
@@ -130,6 +131,8 @@
return false;
if (!decoder.decodeEnum(result.clientCredentialPolicy))
return false;
+ if (!decoder.decode(result.shouldFollowRedirects))
+ return false;
if (!decoder.decode(result.shouldClearReferrerOnHTTPSToHTTPRedirect))
return false;
if (!decoder.decode(result.defersLoading))
Modified: branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/NetworkProcess/PingLoad.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -50,6 +50,7 @@
private:
void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&& completionHandler) override
{
+ // FIXME: Follow redirects for hyperlink auditing. See <https://bugs.webkit.org/show_bug.cgi?id=162580>.
completionHandler({ });
delete this;
}
Modified: branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-10-20 17:44:37 UTC (rev 207624)
@@ -331,7 +331,7 @@
}
}
-void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
+void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
{
// It's possible that call to createPingHandle might be made during initial empty Document creation before a NetworkingContext exists.
// It is not clear that we should send ping loads during that process anyways.
@@ -347,6 +347,7 @@
loadParameters.request = request;
loadParameters.sessionID = webPage ? webPage->sessionID() : SessionID::defaultSessionID();
loadParameters.allowStoredCredentials = shouldUseCredentialStorage ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+ loadParameters.shouldFollowRedirects = shouldFollowRedirects;
loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = networkingContext->shouldClearReferrerOnHTTPSToHTTPRedirect();
WebProcess::singleton().networkConnection().connection().send(Messages::NetworkConnectionToWebProcess::LoadPing(loadParameters), 0);
Modified: branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h (207623 => 207624)
--- branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h 2016-10-20 17:40:19 UTC (rev 207623)
+++ branches/safari-602-branch/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h 2016-10-20 17:44:37 UTC (rev 207624)
@@ -55,7 +55,7 @@
void suspendPendingRequests() override;
void resumePendingRequests() override;
- void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
+ void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
WebResourceLoader* webResourceLoaderForIdentifier(ResourceLoadIdentifier identifier) const { return m_webResourceLoaders.get(identifier); }
RefPtr<WebCore::NetscapePlugInStreamLoader> schedulePluginStreamLoad(WebCore::Frame&, WebCore::NetscapePlugInStreamLoaderClient&, const WebCore::ResourceRequest&);