CSP: Ignore report-only policy delivered via meta element
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 16:48:05 +0000 (16:48 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 16:48:05 +0000 (16:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156565
<rdar://problem/25718167>

Reviewed by Brent Fulgham.

Source/WebCore:

Only honor a report-only policy delivered via the HTTP header Content-Security-Policy-Report-Only
or X-WebKit-CSP-Report-Only as per section Content-Security-Policy-Report-Only Header Field of
the Content Security Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).

Currently we honor a report-only policy delivered via a meta element or an HTTP header. Instead
we should only honor such a policy when delivered via an HTTP header.

Tests: http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
       http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
       http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
       http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php
       http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php
       http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Do not process policy for HTTP equivalent header
Content-Security-Policy-Report-Only and X-WebKit-CSP-Report-Only.

LayoutTests:

Add new test LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
to ensure that we ignore X-WebKit-CSP-Report-Only when delivered via a meta element.

Rename test report-multiple-violations-0{1, 2}.html and eval-allowed-in-report-only-mode-and-sends-report.html
to report-multiple-violations-0{1, 2}.php and eval-allowed-in-report-only-mode-and-sends-report.php, respectively,
so that we can make use of PHP to deliver the report-only policy via an HTTP header instead of via a meta element
as the latter is no longer supported. Additionally, fix up code style in some tests to make them more
consistent with the code style we use for tests.

* TestExpectations: Update some entries due to renaming and mark tests reportonly-in-meta-ignored.html
and reportonly-in-meta-ignored2.html as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html:
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html: Added.
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html.
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt:
* http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html.
* http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html.
* http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html.
* http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html: Removed.
* http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199538 268f45cc-cd09-0410-ab3c-d52691b4dbfc

19 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html [deleted file]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index cbd9ca9..09f6244 100644 (file)
@@ -1,3 +1,34 @@
+2016-04-14  Daniel Bates  <dabates@apple.com>
+
+        CSP: Ignore report-only policy delivered via meta element
+        https://bugs.webkit.org/show_bug.cgi?id=156565
+        <rdar://problem/25718167>
+
+        Reviewed by Brent Fulgham.
+
+        Add new test LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
+        to ensure that we ignore X-WebKit-CSP-Report-Only when delivered via a meta element.
+
+        Rename test report-multiple-violations-0{1, 2}.html and eval-allowed-in-report-only-mode-and-sends-report.html
+        to report-multiple-violations-0{1, 2}.php and eval-allowed-in-report-only-mode-and-sends-report.php, respectively,
+        so that we can make use of PHP to deliver the report-only policy via an HTTP header instead of via a meta element
+        as the latter is no longer supported. Additionally, fix up code style in some tests to make them more
+        consistent with the code style we use for tests.
+
+        * TestExpectations: Update some entries due to renaming and mark tests reportonly-in-meta-ignored.html
+        and reportonly-in-meta-ignored2.html as PASS so that we run them.
+        * http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html:
+        * http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html: Added.
+        * http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html.
+        * http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-expected.txt:
+        * http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html.
+        * http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html.
+        * http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html.
+        * http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html: Removed.
+        * http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php: Added.
+
 2016-04-14  Antoine Quint  <graouts@apple.com>
 
         WebGL based canvases composite incorrectly after changing size
index e453bcc..354e611 100644 (file)
@@ -819,6 +819,8 @@ http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html [ Pass ]
@@ -860,7 +862,7 @@ http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html [ Pass ]
 webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
 webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
-webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
+webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
 webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
 webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
 webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
@@ -879,8 +881,8 @@ webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-def
 webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
 webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
 webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
-webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
-webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php [ Failure ]
+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php [ Failure ]
 webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
 webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
index 985ef10..0473cf7 100644 (file)
@@ -1,2 +1 @@
-CONSOLE MESSAGE: line 4: The report-only Content Security Policy 'this-should-be-ignored' was delivered via a <meta> element, which is disallowed. The policy has been ignored.
-This tests that report-only Content Security Policy headers are ignored if contained in meta elements.
+This tests that a Content-Security-Policy-Report-Only header is ignored if delivered in a meta element. This test PASSED if there are no console warnings.
index 427c462..c7648cd 100644 (file)
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <html>
 <head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="this-should-be-ignored">
-    <script>
-        if (window.testRunner)
-            testRunner.dumpAsText();
-    </script>
+<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'none'">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
 </head>
 <body>
-    <p>This tests that report-only Content Security Policy headers are ignored if contained in meta elements.</p>
+<p>This tests that a Content-Security-Policy-Report-Only header is ignored if delivered in a meta element. This test PASSED if there are no console warnings.</p>
 </body>
 </html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2-expected.txt
new file mode 100644 (file)
index 0000000..6bdfaae
--- /dev/null
@@ -0,0 +1 @@
+This tests that an X-WebKit-CSP-Report-Only header is ignored if delivered in a meta element. This test PASSED if there are no console warnings.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
new file mode 100644 (file)
index 0000000..eae4591
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP-Report-Only" content="script-src 'none'">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that an X-WebKit-CSP-Report-Only header is ignored if delivered in a meta element. This test PASSED if there are no console warnings.</p>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html b/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
deleted file mode 100644 (file)
index 68f1f21..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self' 'unsafe-inline'; report-uri resources/save-report.php">
-</head>
-<body>
-    <script>
-        try {
-            eval("alert('PASS: eval() allowed!')");
-        } catch (e) {
-            console.log('FAIL: eval() blocked!');
-        }
-    </script>
-    <script src="resources/go-to-echo-report.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php b/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
new file mode 100644 (file)
index 0000000..5be5152
--- /dev/null
@@ -0,0 +1,16 @@
+<?php
+header("Content-Security-Policy-Report-Only: script-src 'self' 'unsafe-inline'; report-uri resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+try {
+    eval("alert('PASS: eval() allowed!')");
+} catch (e) {
+    console.log("FAIL: eval() blocked!");
+}
+</script>
+<script src="resources/go-to-echo-report.js"></script>
+</body>
+</html>
index 0fafc44..71ee382 100644 (file)
@@ -1,4 +1,4 @@
 CONSOLE MESSAGE: The Content Security Policy 'script-src 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-CONSOLE MESSAGE: line 7: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 4: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 ALERT: PASS: eval() executed as expected.
 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html b/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html
deleted file mode 100644 (file)
index 79ae6b4..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'">
-</head>
-<body>
-    <script>
-        if (window.testRunner)
-            testRunner.dumpAsText();
-
-        eval("alert('PASS: eval() executed as expected.');");
-    </script>
-</body>
-</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php b/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
new file mode 100644 (file)
index 0000000..8c56c3c
--- /dev/null
@@ -0,0 +1,14 @@
+<?php
+header("Content-Security-Policy-Report-Only: script-src 'self'");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+eval("alert('PASS: eval() executed as expected.');");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html b/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html
deleted file mode 100644 (file)
index 1713b87..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/does-not-exist">
-</head>
-<body>
-    <p>This tests that multiple violations on a page trigger multiple reports.
-    The test passes if two PingLoader callbacks are visible in the output.</p>
-    <img src="../resources/abe.png">
-    <img src="../resources/eba.png">
-</body>
-</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php b/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php
new file mode 100644 (file)
index 0000000..db745b6
--- /dev/null
@@ -0,0 +1,12 @@
+<?php
+header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/does-not-exist");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that multiple violations on a page trigger multiple reports.
+The test passes if two PingLoader callbacks are visible in the output.</p>
+<img src="../resources/abe.png">
+<img src="../resources/eba.png">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html b/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html
deleted file mode 100644 (file)
index c6e2786..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'unsafe-inline' 'self'; report-uri resources/does-not-exist">
-</head>
-<body>
-    <p>This tests that multiple violations on a page trigger multiple reports
-    if and only if the violations are distinct. This test passes if only one.
-    PingLoader callback is visible in the output.</p>
-    <script>
-        for (var i = 0; i<5; i++)
-            setTimeout("alert('PASS: setTimeout #" + i + " executed.');", 0);
-    </script>
-</body>
-</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php b/LayoutTests/http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php
new file mode 100644 (file)
index 0000000..72e604a
--- /dev/null
@@ -0,0 +1,15 @@
+<?php
+header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'; report-uri resources/does-not-exist");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that multiple violations on a page trigger multiple reports
+if and only if the violations are distinct. This test passes if only one.
+PingLoader callback is visible in the output.</p>
+<script>
+for (var i = 0; i< 5; i++)
+    setTimeout("alert('PASS: setTimeout #" + i + " executed.');", 0);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html b/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.html
deleted file mode 100644 (file)
index d2837f3..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'unsafe-inline';">
-    <script>
-        if (window.testRunner)
-            testRunner.dumpAsText();
-    </script>
-</head>
-<body>
-    <p>This test passes if a console message is present, warning about the missing 'report-uri' directive.</p>
-</body>
-</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php b/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php
new file mode 100644 (file)
index 0000000..7fcc386
--- /dev/null
@@ -0,0 +1,15 @@
+<?php
+header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline';");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This test passes if a console message is present, warning about the missing 'report-uri' directive.</p>
+</body>
+</html>
index 59455cc..f8b5f7b 100644 (file)
@@ -1,3 +1,29 @@
+2016-04-14  Daniel Bates  <dabates@apple.com>
+
+        CSP: Ignore report-only policy delivered via meta element
+        https://bugs.webkit.org/show_bug.cgi?id=156565
+        <rdar://problem/25718167>
+
+        Reviewed by Brent Fulgham.
+
+        Only honor a report-only policy delivered via the HTTP header Content-Security-Policy-Report-Only
+        or X-WebKit-CSP-Report-Only as per section Content-Security-Policy-Report-Only Header Field of 
+        the Content Security Policy Level 2 spec., <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
+
+        Currently we honor a report-only policy delivered via a meta element or an HTTP header. Instead
+        we should only honor such a policy when delivered via an HTTP header.
+
+        Tests: http/tests/security/contentSecurityPolicy/1.1/reportonly-in-meta-ignored2.html
+               http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
+               http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.php
+               http/tests/security/contentSecurityPolicy/report-multiple-violations-01.php
+               http/tests/security/contentSecurityPolicy/report-multiple-violations-02.php
+               http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv): Do not process policy for HTTP equivalent header
+        Content-Security-Policy-Report-Only and X-WebKit-CSP-Report-Only.
+
 2016-04-14  Antoine Quint  <graouts@apple.com>
 
         Dashboard is spelled as Dashbard in several source files
index cf702b7..b94325f 100644 (file)
@@ -3321,21 +3321,11 @@ void Document::processHttpEquiv(const String& equiv, const String& content, bool
             contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Enforce);
         break;
 
-    case HTTPHeaderName::ContentSecurityPolicyReportOnly:
-        if (isInDocumentHead)
-            contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Report);
-        break;
-
     case HTTPHeaderName::XWebKitCSP:
         if (isInDocumentHead)
             contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
         break;
 
-    case HTTPHeaderName::XWebKitCSPReportOnly:
-        if (isInDocumentHead)
-            contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedReport);
-        break;
-
     default:
         break;
     }