CSP: report-url directive should be ignored when contained in a policy defined via...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Feb 2016 19:04:15 +0000 (19:04 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Feb 2016 19:04:15 +0000 (19:04 +0000)
commit7b294abe06d804b0aef624278e189108f41dcc6f
tree6060647635648fb8f93965de6c3d64f66862a1a3
parent6e5dccba6e3df65642ef78d6338d24c2110f2f42
CSP: report-url directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154307
<rdar://problem/24684817>

Reviewed by Brent Fulgham.

Source/WebCore:

The Content Security Policy report-uri directive should only be honored when defined via an HTTP header
as per section report-uri of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.

Currently we honor the report-uri directive when enforcing or monitoring a policy defined either via
an HTML meta element or an HTTP header. Instead we should only honor this directive when defined
via an HTTP header and log a message to the Web Inspector console to explain that the directive
was ignored as suggested in <https://www.w3.org/TR/2015/CR-CSP2-20150721/#delivery-html-meta-element>.

Test: http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse): Modified to ignore the directive report-uri when
the Content Security Policy came from an HTML meta element.

LayoutTests:

Add new test http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html and rename and modify
existing tests to make them PHP scripts that emit a Content Security Policy HTTP header.

In addition, remove file http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html that
is no longer meaningful now that we do not honor the report-uri directive defined in a policy via a meta
element. Moreover, we have not made use of this file since <http://trac.webkit.org/changeset/176413>.

* TestExpectations: Update entries for renames.
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html.
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html.
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html.
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html.
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html.
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html.
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html.
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.html.
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript.html.
* http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html: Added.
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html: Removed.
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php: Added.
* http/tests/security/contentSecurityPolicy/report-uri.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html.
* http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html: Removed. For completeness, we have
not made use of this file since <http://trac.webkit.org/changeset/176413>.
* http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php:
* http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html.
* platform/wk2/TestExpectations: Update entries for renames.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196875 268f45cc-cd09-0410-ab3c-d52691b4dbfc
43 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html with 78% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html with 60% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html with 80% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html with 60% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html with 61% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html with 73% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html with 74% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html with 70% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html with 57% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html with 76% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html with 75% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html with 71% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.html with 72% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript.html with 55% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-in-meta-tag-ignored.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html with 56% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.php
LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.php [moved from LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.html with 79% similarity]
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp