Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,5 +1,60 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: Violation report should include HTTP status code and effective-directive of protected resource
+ https://bugs.webkit.org/show_bug.cgi?id=154288
+ <rdar://problem/24674982>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=115707
+ <rdar://problem/24383128>
+
+ Reviewed by Brent Fulgham.
+
+ Add new test http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html to ensure
+ that the CSP report property status-code is 0 when the protected document is delivered over HTTPS. Fix a
+ correctness issue in the result for test http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html
+ and update the expected results for the following tests now that the CSP violation report includes properties
+ status-code and effective-directive:
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
+ http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
+ http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
+
+ The rest of the changes to the expected results are cosmetic and reflect the difference in wording for inline
+ script violations between WebKit and Blink. We will consider adopting wording similar to Blink in
+ <https://bugs.webkit.org/show_bug.cgi?id=153242>.
+
+ * TestExpectations: Remove entries for tests that now pass. Add test http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php.
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html. The report-uri
+ directive is only honored when defined in a policy delivered via an HTTP header. We convert this
+ HTML file to a PHP script to be able to deliver a Content-Security-Policy HTTP header.
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html: Fix ill-formed markup; substitute </iframe> for </script>.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt: Ditto.
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
CSP: report-url directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154307
<rdar://problem/24684817>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:26:03 UTC (rev 197083)
@@ -803,14 +803,12 @@
# Content Security Policy failures
webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php [ Failure ]
-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php [ Failure ]
-webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php [ Failure ]
webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
@@ -829,19 +827,8 @@
webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
-webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
-webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only-from-header.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-and-enforce.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php [ Failure ]
+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,8 +1,8 @@
-CONSOLE MESSAGE: line 7: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-L3uuqigJSGd8GNknRL52DwyzzMGSUwfFRHXvGFby0oM='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
+CONSOLE MESSAGE: line 4: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
CSP report received:
CONTENT_TYPE: application/csp-report
-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'; report-uri ../resources/save-report.php">
-</head>
-<body>
- <script>
- // This script block will trigger a violation report.
- alert('FAIL');
- </script>
- <script src=""
-</body>
-</html>
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php (from rev 197082, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html) (0 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php 2016-02-25 10:26:03 UTC (rev 197083)
@@ -0,0 +1,13 @@
+<?php
+ header("Content-Security-Policy: default-src 'self'; report-uri ../resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ alert('FAIL');
+ </script>
+ <script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,6 +1,6 @@
-CONSOLE MESSAGE: line 14: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
-CONSOLE MESSAGE: line 11: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YQwmkO9U3gKLwAFFj9h7BeOrJNIo50emf5tmL1p32RY='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 9: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
ALERT: PASS
CSP report received:
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 8: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -5,4 +5,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 4: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 4: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 18: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -3,4 +3,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -3,4 +3,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 3: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-MbVeEjw3Zzj1MNUWQYXDtxD7K2xZqa56QKGb3hkp9DY='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
ALERT: PASS
CSP report received:
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-MbVeEjw3Zzj1MNUWQYXDtxD7K2xZqa56QKGb3hkp9DY='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
ALERT: PASS
CSP report received:
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -3,4 +3,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 18: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -4,4 +4,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (0 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -0,0 +1,15 @@
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+
+This tests that the status-code is 0 in the Content Security Policy violation report for a protected resource delivered over HTTPS.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html (0 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html 2016-02-25 10:26:03 UTC (rev 197083)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the status-code is 0 in the Content Security Policy violation report for a protected resource delivered over HTTPS.</p>
+<!-- window.testRunner.notifyDone() will be ultimately called by generate-csp-report.php. -->
+<iframe src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 3: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html 2016-02-25 10:26:03 UTC (rev 197083)
@@ -2,4 +2,4 @@
if (window.testRunner)
testRunner.dumpChildFramesAsText();
</script>
-<iframe src=""
+<iframe src=""
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-_javascript_-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -5,4 +5,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-_javascript_.php","line-number":7}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-_javascript_-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -5,4 +5,4 @@
HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php
REQUEST_METHOD: POST
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-_javascript_.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3}}
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 3: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
CSP report received:
CONTENT_TYPE: application/csp-report
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:26:03 UTC (rev 197083)
@@ -1,5 +1,28 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: Violation report should include HTTP status code and effective-directive of protected resource
+ https://bugs.webkit.org/show_bug.cgi?id=154288
+ <rdar://problem/24674982>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=115707
+ <rdar://problem/24383128>
+
+ Reviewed by Brent Fulgham.
+
+ Include status-code and effective-directive in the Content Security Policy violation report for
+ the HTTP status code of the protected resource and name of the policy directive that was violated,
+ respectively, as per section Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Test: http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation): Add key status-code to the report with value
+ equal to the HTTP response code for the document or 0 depending on whether the document was
+ delivered over HTTP or not. Additionally, remove ENABLE(CSP_NEXT)-guard/experimentalFeaturesEnabled()-condition
+ around code to include the effective-directive property in the report.
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
CSP: report-url directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154307
<rdar://problem/24684817>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197082 => 197083)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 10:25:12 UTC (rev 197082)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 10:26:03 UTC (rev 197083)
@@ -33,6 +33,7 @@
#include "ContentSecurityPolicySourceList.h"
#include "DOMStringList.h"
#include "Document.h"
+#include "DocumentLoader.h"
#include "FormData.h"
#include "FormDataList.h"
#include "Frame.h"
@@ -381,15 +382,13 @@
cspReport->setString(ASCIILiteral("document-uri"), document.url().strippedForUseAsReferrer());
cspReport->setString(ASCIILiteral("referrer"), document.referrer());
cspReport->setString(ASCIILiteral("violated-directive"), directiveText);
-#if ENABLE(CSP_NEXT)
- if (experimentalFeaturesEnabled())
- cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
-#else
- UNUSED_PARAM(effectiveDirective);
-#endif
+ cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
cspReport->setString(ASCIILiteral("original-policy"), header);
cspReport->setString(ASCIILiteral("blocked-uri"), stripURLForUseInReport(document, blockedURL));
+ ASSERT(document.loader());
+ cspReport->setInteger(ASCIILiteral("status-code"), document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0);
+
RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
