CSP reports should send an empty 'referrer' rather than nothing.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Sep 2012 18:52:31 +0000 (18:52 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Sep 2012 18:52:31 +0000 (18:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=97233

Patch by Mike West <mkwst@chromium.org> on 2012-09-20
Reviewed by Adam Barth.

Source/WebCore:

Currently, if a protected resource doesn't have a referrer, then any
Content Security Policy violations send a report that doesn't contain
a referrer attribute. It's arguably friendlier to developers to include
an explicitly empty attribute.

This new behavior is covered by updates to existing test expectations
around the reporting functionality.

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation):
    Drop the 'if', and always write out a referrer.

LayoutTests:

* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
    Adding the empty 'referrer' attribute to the expectations.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@129150 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp

index 2ede956..c9e3f96 100644 (file)
@@ -1,3 +1,18 @@
+2012-09-20  Mike West  <mkwst@chromium.org>
+
+        CSP reports should send an empty 'referrer' rather than nothing.
+        https://bugs.webkit.org/show_bug.cgi?id=97233
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+            Adding the empty 'referrer' attribute to the expectations.
+
 2012-09-20  Simon Fraser  <simon.fraser@apple.com>
 
         Add WK2-specific result for this frame-flattening test (seems to be a scrollbars difference).
index 9aefa4c..a2126d6 100644 (file)
@@ -8,4 +8,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
index 0bbe840..893bdc7 100644 (file)
@@ -5,4 +5,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080"}}
index f99c8d3..391c8c3 100644 (file)
@@ -5,4 +5,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
index a1edf3a..bf7220e 100644 (file)
@@ -6,4 +6,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
index cec2c28..d1a5c89 100644 (file)
@@ -6,4 +6,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
index 56a6ef6..272b8a9 100644 (file)
@@ -5,4 +5,4 @@ CONTENT_TYPE: application/json
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.html","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri resources/save-report.php"}}
index 9773ae2..00222b1 100644 (file)
@@ -1,3 +1,22 @@
+2012-09-20  Mike West  <mkwst@chromium.org>
+
+        CSP reports should send an empty 'referrer' rather than nothing.
+        https://bugs.webkit.org/show_bug.cgi?id=97233
+
+        Reviewed by Adam Barth.
+
+        Currently, if a protected resource doesn't have a referrer, then any
+        Content Security Policy violations send a report that doesn't contain
+        a referrer attribute. It's arguably friendlier to developers to include
+        an explicitly empty attribute.
+
+        This new behavior is covered by updates to existing test expectations
+        around the reporting functionality.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation):
+            Drop the 'if', and always write out a referrer.
+
 2012-09-20  David Barton  <dbarton@mathscribe.com>
 
         [MathML] Increase visual space around fraction parts, italic variables, and operators
index 7a00ecd..2577197 100644 (file)
@@ -1521,8 +1521,7 @@ void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
     RefPtr<InspectorObject> cspReport = InspectorObject::create();
     cspReport->setString("document-uri", document->url().strippedForUseAsReferrer());
     String referrer = document->referrer();
-    if (!referrer.isEmpty())
-        cspReport->setString("referrer", referrer);
+    cspReport->setString("referrer", referrer);
     if (!directiveText.isEmpty())
         cspReport->setString("violated-directive", directiveText);
     cspReport->setString("original-policy", header);