CSP reports for blocked 'data:' URLs should report the scheme only.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Feb 2013 21:29:46 +0000 (21:29 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Feb 2013 21:29:46 +0000 (21:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=109429

Reviewed by Adam Barth.

Source/WebCore:

https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed
the CSP 1.1 spec to require that blocked URLs that don't refer to
generally resolvable schemes (e.g. 'data:', 'javascript:', etc.) be
stripped down to their scheme in violation reports.

Test: http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation):
    If the blocked URL is a web-resolvable scheme, apply the current
    stripping logic to it, otherwise, strip it to the scheme only.
* platform/KURL.h:
(KURL):
    Move KURL::isHierarchical() out into KURL's public API.

LayoutTests:

* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@142506 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/platform/KURL.h

index bcf4d00..68c7e3f 100644 (file)
@@ -1,3 +1,13 @@
+2013-02-11  Mike West  <mkwst@chromium.org>
+
+        CSP reports for blocked 'data:' URLs should report the scheme only.
+        https://bugs.webkit.org/show_bug.cgi?id=109429
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html: Added.
+
 2013-02-11  Julien Chaffraix  <jchaffraix@webkit.org>
 
         Regression(r131539): Heap-use-after-free in WebCore::RenderBlock::willBeDestroyed
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
new file mode 100644 (file)
index 0000000..12bfc2f
--- /dev/null
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.html
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data"}}
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html b/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html
new file mode 100644 (file)
index 0000000..b654160
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
+</head>
+<body>
+    <img src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==">
+    <script src="resources/go-to-echo-report.js"></script>
+</body>
+</html>
index 9ebed0c..640a2a5 100644 (file)
@@ -1,3 +1,25 @@
+2013-02-11  Mike West  <mkwst@chromium.org>
+
+        CSP reports for blocked 'data:' URLs should report the scheme only.
+        https://bugs.webkit.org/show_bug.cgi?id=109429
+
+        Reviewed by Adam Barth.
+
+        https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed
+        the CSP 1.1 spec to require that blocked URLs that don't refer to
+        generally resolvable schemes (e.g. 'data:', 'javascript:', etc.) be
+        stripped down to their scheme in violation reports.
+
+        Test: http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation):
+            If the blocked URL is a web-resolvable scheme, apply the current
+            stripping logic to it, otherwise, strip it to the scheme only.
+        * platform/KURL.h:
+        (KURL):
+            Move KURL::isHierarchical() out into KURL's public API.
+
 2013-02-11  Simon Fraser  <simon.fraser@apple.com>
 
         ScrollingTree node maps keep getting larger
index 1f53515..db2bed6 100644 (file)
@@ -1631,7 +1631,10 @@ void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
         cspReport->setString("violated-directive", directiveText);
     cspReport->setString("original-policy", header);
     if (blockedURL.isValid())
-        cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
+        if (blockedURL.isHierarchical())
+            cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
+        else
+            cspReport->setString("blocked-uri", blockedURL.protocol());
     else
         cspReport->setString("blocked-uri", String());
 
index 46bf2ad..ba409b1 100644 (file)
@@ -120,6 +120,7 @@ public:
     bool canSetHostOrPort() const { return isHierarchical(); }
 
     bool canSetPathname() const { return isHierarchical(); }
+    bool isHierarchical() const;
 
 #if USE(GOOGLEURL)
     const String& string() const { return m_url.string(); }
@@ -231,7 +232,6 @@ public:
 
 private:
     void invalidate();
-    bool isHierarchical() const;
     static bool protocolIs(const String&, const char*);
 #if USE(GOOGLEURL)
     friend class KURLGooglePrivate;