CSP: Ignore report-only policy delivered via meta element
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 16:48:05 +0000 (16:48 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 16:48:05 +0000 (16:48 +0000)
commitf81e81acec444c4ac2b7520692d9db41d3d17a1b
tree4cd29e14e3b6cf66353738a45f3c389bd170f4a9
parent97bacaff825ada3f894dc71d35d544bc93d5cea2
CSP: Ignore report-only policy delivered via meta element
https://bugs.webkit.org/show_bug.cgi?id=156565
<rdar://problem/25718167>

Reviewed by Brent Fulgham.

Source/WebCore:

Only honor a report-only policy delivered via the HTTP header Content-Security-Policy-Report-Only
or X-WebKit-CSP-Report-Only as per section Content-Security-Policy-Report-Only Header Field of
the Content Security Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).

Currently we honor a report-only policy delivered via a meta element or an HTTP header. Instead
we should only honor such a policy when delivered via an HTTP header.

Tests: http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
       http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
       http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
       http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php
       http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php
       http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Do not process policy for HTTP equivalent header
Content-Security-Policy-Report-Only and X-WebKit-CSP-Report-Only.

LayoutTests:

Add new test LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
to ensure that we ignore X-WebKit-CSP-Report-Only when delivered via a meta element.

Rename test report-multiple-violations-0{1, 2}.html and eval-allowed-in-report-only-mode-and-sends-report.html
to report-multiple-violations-0{1, 2}.php and eval-allowed-in-report-only-mode-and-sends-report.php, respectively,
so that we can make use of PHP to deliver the report-only policy via an HTTP header instead of via a meta element
as the latter is no longer supported. Additionally, fix up code style in some tests to make them more
consistent with the code style we use for tests.

* TestExpectations: Update some entries due to renaming and mark tests reportonly-in-meta-ignored.html
and reportonly-in-meta-ignored2.html as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html:
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html: Added.
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html.
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt:
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html.
* http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html.
* http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html.
* http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html: Removed.
* http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp