<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196877] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196877">196877</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-21 11:51:43 -0800 (Sun, 21 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Violation report should include column number
https://bugs.webkit.org/show_bug.cgi?id=154418
<rdar://problem/24729525>
Reviewed by Brent Fulgham.
Source/WebCore:
Include column-number in the Content Security Policy violation report for the column number
in the source script where the violation occurred (for a script violation) as per section
Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
When a CSP report is created for a script violation the source file and line number of the
source code line where the violation occurred are included in the report. We now include
the column number in the source file where the violation occurred so as to help narrow
down the operation that triggered the violation in a complicated source code line.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation):
LayoutTests:
Update expected results to include source file column information where the violation occurred.
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/LayoutTests/ChangeLog 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -1,5 +1,19 @@
</span><span class="cx"> 2016-02-21 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Violation report should include column number
+ https://bugs.webkit.org/show_bug.cgi?id=154418
+ <rdar://problem/24729525>
+
+ Reviewed by Brent Fulgham.
+
+ Update expected results to include source file column information where the violation occurred.
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
+
+2016-02-21 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: Violation report should include HTTP status code and effective-directive of protected resource
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=154288
</span><span class="cx"> <rdar://problem/24674982>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9,"column-number":26}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","line-number":7}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","line-number":7,"column-number":10}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -5,4 +5,4 @@
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3,"column-number":2}}
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/Source/WebCore/ChangeLog 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -1,5 +1,25 @@
</span><span class="cx"> 2016-02-21 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Violation report should include column number
+ https://bugs.webkit.org/show_bug.cgi?id=154418
+ <rdar://problem/24729525>
+
+ Reviewed by Brent Fulgham.
+
+ Include column-number in the Content Security Policy violation report for the column number
+ in the source script where the violation occurred (for a script violation) as per section
+ Reporting of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ When a CSP report is created for a script violation the source file and line number of the
+ source code line where the violation occurred are included in the report. We now include
+ the column number in the source file where the violation occurred so as to help narrow
+ down the operation that triggered the violation in a complicated source code line.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation):
+
+2016-02-21 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: Violation report should include HTTP status code and effective-directive of protected resource
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=154288
</span><span class="cx"> <rdar://problem/24674982>
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196876 => 196877)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 19:45:47 UTC (rev 196876)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 19:51:43 UTC (rev 196877)
</span><span class="lines">@@ -395,6 +395,7 @@
</span><span class="cx"> URL source = URL(URL(), callFrame->sourceURL());
</span><span class="cx"> cspReport->setString(ASCIILiteral("source-file"), stripURLForUseInReport(document, source));
</span><span class="cx"> cspReport->setInteger(ASCIILiteral("line-number"), callFrame->lineNumber());
</span><ins>+ cspReport->setInteger(ASCIILiteral("column-number"), callFrame->columnNumber());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RefPtr<InspectorObject> reportObject = InspectorObject::create();
</span></span></pre>
</div>
</div>
</body>
</html>