<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196876] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196876">196876</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-21 11:45:47 -0800 (Sun, 21 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Violation report should include HTTP status code and effective-directive of protected resource
https://bugs.webkit.org/show_bug.cgi?id=154288
<rdar://problem/24674982>
And
https://bugs.webkit.org/show_bug.cgi?id=115707
<rdar://problem/24383128>
Reviewed by Brent Fulgham.
Source/WebCore:
Include status-code and effective-directive in the Content Security Policy violation report for
the HTTP status code of the protected resource and name of the policy directive that was violated,
respectively, as per section Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
Test: http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation): Add key status-code to the report with value
equal to the HTTP response code for the document or 0 depending on whether the document was
delivered over HTTP or not. Additionally, remove ENABLE(CSP_NEXT)-guard/experimentalFeaturesEnabled()-condition
around code to include the effective-directive property in the report.
LayoutTests:
Add new test http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html to ensure
that the CSP report property status-code is 0 when the protected document is delivered over HTTPS. Fix a
correctness issue in the result for test http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html
and update the expected results for the following tests now that the CSP violation report includes properties
status-code and effective-directive:
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
The rest of the changes to the expected results are cosmetic and reflect the difference in wording for inline
script violations between WebKit and Blink. We will consider adopting wording similar to Blink in
<https://bugs.webkit.org/show_bug.cgi?id=153242>.
* TestExpectations: Remove entries for tests that now pass. Add test http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php.
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html. The report-uri
directive is only honored when defined in a policy delivered via an HTTP header. We convert this
HTML file to a PHP script to be able to deliver a Content-Security-Policy HTTP header.
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
that the report includes properties status-code and effective-directive.
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-only-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Update expected result now
that the report includes properties status-code and effective-directive.
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
that the report includes properties status-code and effective-directive.
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html: Added.
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html: Fix ill-formed markup; substitute </iframe> for </script>.
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Cosmetic change.
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt: Ditto.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectivephp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectivehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/ChangeLog 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,5 +1,60 @@
</span><span class="cx"> 2016-02-21 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Violation report should include HTTP status code and effective-directive of protected resource
+ https://bugs.webkit.org/show_bug.cgi?id=154288
+ <rdar://problem/24674982>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=115707
+ <rdar://problem/24383128>
+
+ Reviewed by Brent Fulgham.
+
+ Add new test http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html to ensure
+ that the CSP report property status-code is 0 when the protected document is delivered over HTTPS. Fix a
+ correctness issue in the result for test http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html
+ and update the expected results for the following tests now that the CSP violation report includes properties
+ status-code and effective-directive:
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
+ http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
+ http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
+
+ The rest of the changes to the expected results are cosmetic and reflect the difference in wording for inline
+ script violations between WebKit and Blink. We will consider adopting wording similar to Blink in
+ <https://bugs.webkit.org/show_bug.cgi?id=153242>.
+
+ * TestExpectations: Remove entries for tests that now pass. Add test http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php.
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html. The report-uri
+ directive is only honored when defined in a policy delivered via an HTTP header. We convert this
+ HTML file to a PHP script to be able to deliver a Content-Security-Policy HTTP header.
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Update expected result now
+ that the report includes properties status-code and effective-directive.
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html: Fix ill-formed markup; substitute </iframe> for </script>.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Cosmetic change.
+ * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt: Ditto.
+
+2016-02-21 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: report-url directive should be ignored when contained in a policy defined via a meta element
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=154307
</span><span class="cx"> <rdar://problem/24684817>
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/TestExpectations 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -803,14 +803,12 @@
</span><span class="cx"> # Content Security Policy failures
</span><span class="cx"> webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
</ins><span class="cx"> webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
</span><span class="cx"> webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
</span><span class="cx"> webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
</span><span class="cx"> webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
</span><span class="cx"> webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
</span><del>-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php [ Failure ]
-webkit.org/b/115702 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.php [ Failure ]
-webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php [ Failure ]
</del><span class="cx"> webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
</span><span class="cx"> webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
</span><span class="cx"> webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
</span><span class="lines">@@ -829,19 +827,8 @@
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
</span><span class="cx"> webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
</span><del>-webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
-webkit.org/b/153162 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only-from-header.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-only.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri-from-javascript.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-uri.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-and-enforce.php [ Failure ]
-webkit.org/b/153242 webkit.org/b/154288 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.php [ Failure ]
</del><ins>+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
+webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><span class="cx">
</span><span class="cx"> # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,8 +1,8 @@
</span><del>-CONSOLE MESSAGE: line 7: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-L3uuqigJSGd8GNknRL52DwyzzMGSUwfFRHXvGFby0oM='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
</del><ins>+CONSOLE MESSAGE: line 4: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><del>-HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html
</del><ins>+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
</ins><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectivehtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,13 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'; report-uri ../resources/save-report.php">
-</head>
-<body>
- <script>
- // This script block will trigger a violation report.
- alert('FAIL');
- </script>
- <script src="../resources/go-to-echo-report.js"></script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectivephpfromrev196875trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectivehtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php (from rev 196875, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html) (0 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+ header("Content-Security-Policy: default-src 'self'; report-uri ../resources/save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+ <script>
+ // This script block will trigger a violation report.
+ alert('FAIL');
+ </script>
+ <script src="../resources/go-to-echo-report.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><del>-CONSOLE MESSAGE: line 14: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 11: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YQwmkO9U3gKLwAFFj9h7BeOrJNIo50emf5tmL1p32RY='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 9: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 8: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 4: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 18: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -3,4 +3,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -3,4 +3,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 3: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-MbVeEjw3Zzj1MNUWQYXDtxD7K2xZqa56QKGb3hkp9DY='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-MbVeEjw3Zzj1MNUWQYXDtxD7K2xZqa56QKGb3hkp9DY='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -3,4 +3,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 18: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -4,4 +4,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (0 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+
+This tests that the status-code is 0 in the Content Security Policy violation report for a protected resource delivered over HTTPS.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html (0 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the status-code is 0 in the Content Security Policy violation report for a protected resource delivered over HTTPS.</p>
+<!-- window.testRunner.notifyDone() will be ultimately called by generate-csp-report.php. -->
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 3: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -2,4 +2,4 @@
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpChildFramesAsText();
</span><span class="cx"> </script>
</span><del>-<iframe src="resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html"></script>
</del><ins>+<iframe src="resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","line-number":7}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: line 3: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-2jEXxWe/uIoRJGbfoW7Bd11qhRclP9IuS5ZXCbhCUnM='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
</ins><span class="cx">
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/Source/WebCore/ChangeLog 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -1,5 +1,28 @@
</span><span class="cx"> 2016-02-21 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Violation report should include HTTP status code and effective-directive of protected resource
+ https://bugs.webkit.org/show_bug.cgi?id=154288
+ <rdar://problem/24674982>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=115707
+ <rdar://problem/24383128>
+
+ Reviewed by Brent Fulgham.
+
+ Include status-code and effective-directive in the Content Security Policy violation report for
+ the HTTP status code of the protected resource and name of the policy directive that was violated,
+ respectively, as per section Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Test: http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation): Add key status-code to the report with value
+ equal to the HTTP response code for the document or 0 depending on whether the document was
+ delivered over HTTP or not. Additionally, remove ENABLE(CSP_NEXT)-guard/experimentalFeaturesEnabled()-condition
+ around code to include the effective-directive property in the report.
+
+2016-02-21 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: report-url directive should be ignored when contained in a policy defined via a meta element
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=154307
</span><span class="cx"> <rdar://problem/24684817>
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196875 => 196876)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 19:04:15 UTC (rev 196875)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 19:45:47 UTC (rev 196876)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "ContentSecurityPolicySourceList.h"
</span><span class="cx"> #include "DOMStringList.h"
</span><span class="cx"> #include "Document.h"
</span><ins>+#include "DocumentLoader.h"
</ins><span class="cx"> #include "FormData.h"
</span><span class="cx"> #include "FormDataList.h"
</span><span class="cx"> #include "Frame.h"
</span><span class="lines">@@ -381,15 +382,13 @@
</span><span class="cx"> cspReport->setString(ASCIILiteral("document-uri"), document.url().strippedForUseAsReferrer());
</span><span class="cx"> cspReport->setString(ASCIILiteral("referrer"), document.referrer());
</span><span class="cx"> cspReport->setString(ASCIILiteral("violated-directive"), directiveText);
</span><del>-#if ENABLE(CSP_NEXT)
- if (experimentalFeaturesEnabled())
- cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
-#else
- UNUSED_PARAM(effectiveDirective);
-#endif
</del><ins>+ cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
</ins><span class="cx"> cspReport->setString(ASCIILiteral("original-policy"), header);
</span><span class="cx"> cspReport->setString(ASCIILiteral("blocked-uri"), stripURLForUseInReport(document, blockedURL));
</span><span class="cx">
</span><ins>+ ASSERT(document.loader());
+ cspReport->setInteger(ASCIILiteral("status-code"), document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0);
+
</ins><span class="cx"> RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
</span><span class="cx"> const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
</span><span class="cx"> if (callFrame && callFrame->lineNumber()) {
</span></span></pre>
</div>
</div>
</body>
</html>