<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[187834] releases/WebKitGTK/webkit-2.8</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/187834">187834</a></dd>

<dt>Author</dt> <dd>carlosgc@webkit.org</dd>

<dt>Date</dt> <dd>2015-08-04 02:51:16 -0700 (Tue, 04 Aug 2015)</dd>

</dl>

<h3>Log Message</h3>

<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/186663">r186663</a> - Fetching Content Security Policy report URL should respect same origin policy

https://bugs.webkit.org/show_bug.cgi?id=146754

&lt;rdar://problem/18860259&gt;

Reviewed by Brady Eidson.

Inspired by Blink <a href="http://trac.webkit.org/projects/webkit/changeset/149791">r149791</a> (by Mike West &lt;mkwst@chromium.org&gt;):

&lt;https://src.chromium.org/viewvc/blink?revision=149791&amp;view=revision&gt;

Source/WebCore:

As per &lt;http://www.w3.org/TR/2015/CR-CSP2-20150219/#send-violation-reports&gt;, fetching the

Content Security Policy report URL should include cookies if and only if the origin of

the protected resource is equal to the origin of the report URL.

Tests: http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html

       http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html

       http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html

       http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html

       http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html

       http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html

* loader/PingLoader.cpp:

(WebCore::PingLoader::sendViolationReport):

LayoutTests:

Added additional tests for private browsing mode.

* http/tests/cookies/resources/setCookies.cgi:

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html: Added.

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html: Added.

* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html: Added.

* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html: Added.

* http/tests/security/contentSecurityPolicy/resources/save-report.php:

* platform/wk2/TestExpectations: Skip private browsing mode tests in WebKit2 until we fix &lt;https://bugs.webkit.org/show_bug.cgi?id=115274&gt;.</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestscookiesresourcessetCookiescgi">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/cookies/resources/setCookies.cgi</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreloaderPingLoadercpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/PingLoader.cpp</a></li>

</ul>

<h3>Added Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieshtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieshtml">releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (187833 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-08-04 09:47:43 UTC (rev 187833)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -1,3 +1,32 @@

</span><ins>+2015-07-09  Daniel Bates  &lt;dabates@apple.com&gt;

+

+        Fetching Content Security Policy report URL should respect same origin policy

+        https://bugs.webkit.org/show_bug.cgi?id=146754

+        &lt;rdar://problem/18860259&gt;

+

+        Reviewed by Brady Eidson.

+

+        Inspired by Blink r149791 (by Mike West &lt;mkwst@chromium.org&gt;):

+        &lt;https://src.chromium.org/viewvc/blink?revision=149791&amp;view=revision&gt;

+

+        Added additional tests for private browsing mode.

+

+        * http/tests/cookies/resources/setCookies.cgi:

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html: Added.

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html: Added.

+        * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html: Added.

+        * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html: Added.

+        * http/tests/security/contentSecurityPolicy/resources/save-report.php:

+        * platform/wk2/TestExpectations: Skip private browsing mode tests in WebKit2 until we fix &lt;https://bugs.webkit.org/show_bug.cgi?id=115274&gt;.

+

</ins><span class="cx"> 2015-07-09  Michael Saboff  &lt;msaboff@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestscookiesresourcessetCookiescgi"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/cookies/resources/setCookies.cgi (187833 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/cookies/resources/setCookies.cgi        2015-08-04 09:47:43 UTC (rev 187833)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/cookies/resources/setCookies.cgi        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -2,6 +2,8 @@

</span><span class="cx"> use strict;

</span><span class="cx"> 

</span><span class="cx"> print &quot;Content-Type: text/plain\n&quot;;

</span><ins>+print &quot;Access-Control-Allow-Origin: *\n&quot;;

+print &quot;Access-Control-Allow-Headers: SET-COOKIE\n&quot;;

</ins><span class="cx"> print &quot;Cache-Control: no-store\n&quot;;

</span><span class="cx"> print 'Cache-Control: no-cache=&quot;set-cookie&quot;' . &quot;\n&quot;;

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,8 @@

</span><ins>+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: &quot;img-src 'none'&quot;.

+

+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,6 @@

</span><ins>+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledhtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,22 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    if (window.testRunner)

+        testRunner.setPrivateBrowsingEnabled(true);

+

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;http://localhost:8080/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,6 @@

</span><ins>+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledhtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,23 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    // Normal browsing mode

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;http://localhost:8080/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+

+    if (window.testRunner)

+        testRunner.setPrivateBrowsingEnabled(true);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieshtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,19 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;http://localhost:8080/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,6 @@

</span><ins>+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledhtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,23 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    // Normal browsing mode

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+

+    if (window.testRunner)

+        testRunner.setPrivateBrowsingEnabled(true);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,9 @@

</span><ins>+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: &quot;img-src 'none'&quot;.

+

+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_COOKIE: hello=world

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,7 @@

</span><ins>+CSP report received:

+CONTENT_TYPE: application/json

+HTTP_COOKIE: hello=world

+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html

+REQUEST_METHOD: POST

+=== POST DATA ===

+{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;,&quot;blocked-uri&quot;:&quot;http://127.0.0.1:8000/security/resources/abe.png&quot;}}

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledhtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,22 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    if (window.testRunner)

+        testRunner.setPrivateBrowsingEnabled(true);

+

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieshtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html (0 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -0,0 +1,19 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php&quot;&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;script&gt;

+    var xhr = new XMLHttpRequest();

+    xhr.open(&quot;GET&quot;, &quot;/cookies/resources/setCookies.cgi&quot;, false);

+    xhr.setRequestHeader(&quot;SET-COOKIE&quot;, &quot;hello=world;path=/&quot;);

+    xhr.send(null);

+&lt;/script&gt;

+

+&lt;!-- This image will generate a CSP violation report. --&gt;

+&lt;img src=&quot;/security/resources/abe.png&quot;&gt;

+

+&lt;script src=&quot;resources/go-to-echo-report.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (187833 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php        2015-08-04 09:47:43 UTC (rev 187833)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -11,11 +11,15 @@

</span><span class="cx"> $httpHeaders = $_SERVER;

</span><span class="cx"> ksort($httpHeaders, SORT_STRING);

</span><span class="cx"> foreach ($httpHeaders as $name =&gt; $value) {

</span><del>-    if ($name === &quot;CONTENT_TYPE&quot; || $name === &quot;HTTP_REFERER&quot; || $name === &quot;REQUEST_METHOD&quot;) {

</del><ins>+    if ($name === &quot;CONTENT_TYPE&quot; || $name === &quot;HTTP_REFERER&quot; || $name === &quot;REQUEST_METHOD&quot; || $name === &quot;HTTP_COOKIE&quot;) {

</ins><span class="cx">         $value = undoMagicQuotes($value);

</span><span class="cx">         fwrite($reportFile, &quot;$name: $value\n&quot;);

</span><span class="cx">     }

</span><span class="cx"> }

</span><ins>+

+foreach ($_COOKIE as $name =&gt; $value)

+    setcookie($name, &quot;deleted&quot;, time() - 60, &quot;/&quot;);

+

</ins><span class="cx"> fwrite($reportFile, &quot;=== POST DATA ===\n&quot;);

</span><span class="cx"> fwrite($reportFile, file_get_contents(&quot;php://input&quot;));

</span><span class="cx"> fclose($reportFile);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (187833 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-08-04 09:47:43 UTC (rev 187833)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -1,3 +1,28 @@

</span><ins>+2015-07-09  Daniel Bates  &lt;dabates@apple.com&gt;

+

+        Fetching Content Security Policy report URL should respect same origin policy

+        https://bugs.webkit.org/show_bug.cgi?id=146754

+        &lt;rdar://problem/18860259&gt;

+

+        Reviewed by Brady Eidson.

+

+        Inspired by Blink r149791 (by Mike West &lt;mkwst@chromium.org&gt;):

+        &lt;https://src.chromium.org/viewvc/blink?revision=149791&amp;view=revision&gt;

+

+        As per &lt;http://www.w3.org/TR/2015/CR-CSP2-20150219/#send-violation-reports&gt;, fetching the

+        Content Security Policy report URL should include cookies if and only if the origin of

+        the protected resource is equal to the origin of the report URL.

+

+        Tests: http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html

+               http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html

+               http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html

+               http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html

+               http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html

+               http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html

+

+        * loader/PingLoader.cpp:

+        (WebCore::PingLoader::sendViolationReport):

+

</ins><span class="cx"> 2015-07-10  Brady Eidson  &lt;beidson@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         ASSERT restoring from page cache as DocumentLoader reattaches to its Frame.

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreloaderPingLoadercpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/PingLoader.cpp (187833 => 187834)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/PingLoader.cpp        2015-08-04 09:47:43 UTC (rev 187833)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/PingLoader.cpp        2015-08-04 09:51:16 UTC (rev 187834)

</span><span class="lines">@@ -99,6 +99,7 @@

</span><span class="cx">     request.setHTTPMethod(&quot;POST&quot;);

</span><span class="cx">     request.setHTTPContentType(&quot;application/json&quot;);

</span><span class="cx">     request.setHTTPBody(report);

</span><ins>+    request.setAllowCookies(frame.document()-&gt;securityOrigin()-&gt;isSameSchemeHostPort(SecurityOrigin::create(reportURL).ptr()));

</ins><span class="cx">     frame.loader().addExtraFieldsToSubresourceRequest(request);

</span><span class="cx"> 

</span><span class="cx">     String referrer = SecurityPolicy::generateReferrerHeader(frame.document()-&gt;referrerPolicy(), reportURL, frame.loader().outgoingReferrer());

</span></span></pre>

</div>

</div>

</body>

</html>