[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:39:29 +0000 (21:39 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:39:29 +0000 (21:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=162079
<rdar://problem/28321575>

Reviewed by Andy Estes.

Source/WebCore:

Fixes an issue where a CSP violation report may be sent to the wrong domain when the
frame-ancestors directive is violated. In particular, when the frame-ancestors directive
is violated for a page that specifies a report URI that is a relative URL then the
report URI would be resolved with respect to the parent frame's document URL and hence
be sent to the domain of the parent frame's document.

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
to the blocked URL when we do not have a script execution context.

LayoutTests:

Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
to validate that the CSP violation report was sent to the appropriate host. Update test expectations.

Note that the presence of "localhost" in the HTTP Host header in the test results for tests
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
verify that we resolve a relative URL CSP report URI with respect to the blocked URL.

* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/save-report.php:
* http/tests/security/xssAuditor/report-script-tag-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206278 268f45cc-cd09-0410-ab3c-d52691b4dbfc

49 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php
LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt
LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicy.cpp

index a8b6b08..a0770ff 100644 (file)
@@ -1,5 +1,68 @@
 2016-09-22  Daniel Bates  <dabates@apple.com>
 
+        [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+        https://bugs.webkit.org/show_bug.cgi?id=162079
+        <rdar://problem/28321575>
+
+        Reviewed by Andy Estes.
+
+        Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
+        to validate that the CSP violation report was sent to the appropriate host. Update test expectations.
+
+        Note that the presence of "localhost" in the HTTP Host header in the test results for tests
+        security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
+        security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
+        verify that we resolve a relative URL CSP report URI with respect to the blocked URL.
+
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
+        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+        * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+        * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+        * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+
+2016-09-22  Daniel Bates  <dabates@apple.com>
+
         [XSS Auditor] HTML5 entities can bypass XSS Auditor
         https://bugs.webkit.org/show_bug.cgi?id=161939
         <rdar://problem/25819815>
index d462cc7..daf31bc 100644 (file)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8000
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
index 7f04b30..c99ac33 100644 (file)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8443
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}
index b5b08a5..6f0173b 100644 (file)
@@ -11,10 +11,10 @@ if (window.testRunner) {
 
 function navigateToReport()
 {
-    window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+    window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
 }
 </script>
 </head>
-<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
 </body>
 </html>
index 952d3ab..f6f6e06 100644 (file)
@@ -11,10 +11,10 @@ if (window.testRunner) {
 
 function navigateToReport()
 {
-    window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
+    window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
 }
 </script>
 </head>
-<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
 </body>
 </html>
index 16ba048..4e6213c 100644 (file)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
index 2211157..14a9b81 100644 (file)
@@ -1,6 +1,7 @@
-CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}
index 9782651..a99826b 100644 (file)
@@ -15,6 +15,6 @@ function navigateToReport()
 }
 </script>
 </head>
-<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
 </body>
 </html>
index 7891dbf..353ce8b 100644 (file)
@@ -15,6 +15,6 @@ function navigateToReport()
 }
 </script>
 </head>
-<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
 </body>
 </html>
index 21ff5dd..cf1ecda 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: line 4: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
 REQUEST_METHOD: POST
 === POST DATA ===
index d9552a9..41b6813 100644 (file)
@@ -8,6 +8,7 @@ Frame: 'report-only'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
 REQUEST_METHOD: POST
 === POST DATA ===
@@ -18,6 +19,7 @@ Frame: 'enforced-1'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
 REQUEST_METHOD: POST
 === POST DATA ===
@@ -28,6 +30,7 @@ Frame: 'enforced-2'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 1d3f4c3..209fbb7 100644 (file)
@@ -8,6 +8,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 41342ad..9bc1dbb 100644 (file)
@@ -8,6 +8,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
 REQUEST_METHOD: POST
 === POST DATA ===
index b43a5ca..3c1a353 100644 (file)
@@ -8,6 +8,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index b940eef..d8c3e8a 100644 (file)
@@ -8,6 +8,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 15269c4..12f5efa 100644 (file)
@@ -10,6 +10,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 34a95b1..e059651 100644 (file)
@@ -10,6 +10,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 01d4c9c..e26655a 100644 (file)
@@ -9,6 +9,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 4735ff7..1efee05 100644 (file)
@@ -9,6 +9,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 341d3de..811c9c5 100644 (file)
@@ -11,6 +11,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 3604452..745a898 100644 (file)
@@ -11,6 +11,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 4633109..017b223 100644 (file)
@@ -9,6 +9,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 0ebbb7c..1bb526e 100644 (file)
@@ -9,6 +9,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 6f6c0ab..0d73302 100644 (file)
@@ -3,6 +3,7 @@ CONSOLE MESSAGE: line 9: [Report Only] Refused to execute a script because its h
 ALERT: PASS
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 58d3048..36aacd9 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: Refused to load data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 2cd59d3..893360e 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: Refused to load compass.jpg because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
 REQUEST_METHOD: POST
 === POST DATA ===
index f3fec0f..66e491d 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8080/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 90e92bf..a7c0f35 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
 REQUEST_METHOD: POST
 === POST DATA ===
index b63b915..13e3001 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: localhost:8080
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 5a93b7d..a584641 100644 (file)
@@ -2,6 +2,7 @@ CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its h
 ALERT: PASS
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 8a987f9..aad7e69 100644 (file)
@@ -2,6 +2,7 @@ CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its h
 ALERT: PASS
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 0a22087..9a1f979 100644 (file)
@@ -3,6 +3,7 @@ CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its h
 ALERT: PASS
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 7b96e99..4c1e0a9 100644 (file)
@@ -2,6 +2,7 @@ CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.pn
 CSP report received:
 CONTENT_TYPE: application/csp-report
 HTTP_COOKIE: hello=world
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
 REQUEST_METHOD: POST
 === POST DATA ===
index cbf753b..494131f 100644 (file)
@@ -1,6 +1,7 @@
 CSP report received:
 CONTENT_TYPE: application/csp-report
 HTTP_COOKIE: hello=world
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
 REQUEST_METHOD: POST
 === POST DATA ===
index 7b0dcfc..c5b4a7f 100644 (file)
@@ -8,6 +8,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
 HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
 REQUEST_METHOD: POST
 === POST DATA ===
index a495f6b..c86fcb2 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
 REQUEST_METHOD: POST
 === POST DATA ===
index b32e4ad..4310cea 100644 (file)
@@ -6,6 +6,7 @@ Frame: '<!--framePath //<!--frame0-->-->'
 --------
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
 REQUEST_METHOD: POST
 === POST DATA ===
index 6b3567c..aa2281b 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
 REQUEST_METHOD: POST
 === POST DATA ===
index ab3433e..9c5534a 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
 REQUEST_METHOD: POST
 === POST DATA ===
index b47ff87..c46084d 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CSP report received:
 CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8080
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
 REQUEST_METHOD: POST
 === POST DATA ===
index e625a27..b480db3 100644 (file)
@@ -11,7 +11,7 @@ $reportFile = fopen($reportFilePath . ".tmp", 'w');
 $httpHeaders = $_SERVER;
 ksort($httpHeaders, SORT_STRING);
 foreach ($httpHeaders as $name => $value) {
-    if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
+    if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") {
         $value = undoMagicQuotes($value);
         fwrite($reportFile, "$name: $value\n");
     }
index 0083845..562cdc4 100644 (file)
@@ -8,6 +8,7 @@ Frame: 'frame'
 --------
 CSP report received:
 CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
 === POST DATA ===
index e429900..5e960fd 100644 (file)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
 CSP report received:
 CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
 === POST DATA ===
index ec2d018..7209868 100644 (file)
@@ -8,6 +8,7 @@ Frame: 'frame'
 --------
 CSP report received:
 CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
 HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
 REQUEST_METHOD: POST
 === POST DATA ===
index 81505e2..66ca3f0 100644 (file)
@@ -1,5 +1,23 @@
 2016-09-22  Daniel Bates  <dabates@apple.com>
 
+        [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+        https://bugs.webkit.org/show_bug.cgi?id=162079
+        <rdar://problem/28321575>
+
+        Reviewed by Andy Estes.
+
+        Fixes an issue where a CSP violation report may be sent to the wrong domain when the
+        frame-ancestors directive is violated. In particular, when the frame-ancestors directive
+        is violated for a page that specifies a report URI that is a relative URL then the
+        report URI would be resolved with respect to the parent frame's document URL and hence
+        be sent to the domain of the parent frame's document.
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
+        to the blocked URL when we do not have a script execution context.
+
+2016-09-22  Daniel Bates  <dabates@apple.com>
+
         [XSS Auditor] HTML5 entities can bypass XSS Auditor
         https://bugs.webkit.org/show_bug.cgi?id=161939
         <rdar://problem/25819815>
index c8569cc..c9f0afc 100644 (file)
@@ -658,7 +658,7 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
 
     RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
     for (const auto& url : reportURIs)
-        PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
+        PingLoader::sendViolationReport(*frame, is<Document>(m_scriptExecutionContext) ? document.completeURL(url) : document.completeURL(url, blockedURL), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
 }
 
 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const