CSP: Update violation report 'Content-Type' header
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 23:22:19 +0000 (23:22 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 23:22:19 +0000 (23:22 +0000)
commit0307fc76d82b8095157befe83a49c3cc4f73beda
tree32c3f0b4643e3192fa175b7bdcadcddd6dd25c06
parent8e09d766642fec6cf7b194e24f61cb75e528be9f
CSP: Update violation report 'Content-Type' header
https://bugs.webkit.org/show_bug.cgi?id=153166
<rdar://problem/24383327>

Reviewed by Brent Fulgham.

Source/WebCore:

Inspired by Blink patch:
<https://src.chromium.org/viewvc/blink?view=rev&revision=154215>

Post the Content Security Policy violation report with Content-Type application/csp-report as
per section Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.

Currently we post CSP violation reports with Content-Type application/json.

* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript): Use report type ViolationReportType::XSSAuditor to PingLoader.
* loader/PingLoader.cpp:
(WebCore::PingLoader::sendViolationReport): Modified to take argument of type ViolationReportType
to determine the appropriate Content-Type header to use for the report. For a XSS Auditor violation report
we use Content-Type application/json. For a Content Security Policy violation report we use Content-Type
application/csp-report. Additionally, pass a ASCIILiteral() to ResourceRequestBase::setHTTPMethod()
as opposed to a constant string literal to avoid a copy of a constant string literal.
* loader/PingLoader.h: Add enum class ViolationReportType.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation): Use report type ViolationReportType::ContentSecurityPolicy.

LayoutTests:

Update expected results now that we post the Content Security Policy violation report with
Content-Type application/csp-report.

* TestExpectations: Update associated bugs for entries that still fail.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Fix up HTTP_REFERER and csp-report
to reflect the correct value for HTTP_REFERER and the correct values for the report-uri and document-uri keys in the CSP
report JSON object.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196664 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditorDelegate.cpp
Source/WebCore/loader/PingLoader.cpp
Source/WebCore/loader/PingLoader.h
Source/WebCore/page/csp/ContentSecurityPolicy.cpp