<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[206278] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/206278">206278</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-09-22 14:39:29 -0700 (Thu, 22 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[CSP] Violation report may be sent to wrong domain on frame-ancestors violation
https://bugs.webkit.org/show_bug.cgi?id=162079
<rdar://problem/28321575>
Reviewed by Andy Estes.
Source/WebCore:
Fixes an issue where a CSP violation report may be sent to the wrong domain when the
frame-ancestors directive is violated. In particular, when the frame-ancestors directive
is violated for a page that specifies a report URI that is a relative URL then the
report URI would be resolved with respect to the parent frame's document URL and hence
be sent to the domain of the parent frame's document.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
to the blocked URL when we do not have a script execution context.
LayoutTests:
Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
to validate that the CSP violation report was sent to the appropriate host. Update test expectations.
Note that the presence of "localhost" in the HTTP Host header in the test results for tests
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
verify that we resolve a relative URL CSP report URI with respect to the blocked URL.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/save-report.php:
* http/tests/security/xssAuditor/report-script-tag-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptblockedsendsmultiplereportsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicy2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreportscripttagexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreportscripttagfullblockexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreportscripttagreplacestateexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/ChangeLog 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,5 +1,68 @@
</span><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+ https://bugs.webkit.org/show_bug.cgi?id=162079
+ <rdar://problem/28321575>
+
+ Reviewed by Andy Estes.
+
+ Modified http/tests/security/contentSecurityPolicy/resources/save-report.php to print the HTTP Host header as a means
+ to validate that the CSP violation report was sent to the appropriate host. Update test expectations.
+
+ Note that the presence of "localhost" in the HTTP Host header in the test results for tests
+ security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html and
+ security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html
+ verify that we resolve a relative URL CSP report URI with respect to the blocked URL.
+
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+ * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+
+2016-09-22 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> [XSS Auditor] HTML5 entities can bypass XSS Auditor
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=161939
</span><span class="cx"> <rdar://problem/25819815>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: localhost:8000
</ins><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancesto
rs-cross-origin.html&q=FAIL","status-code":0}}
</del><ins>+{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","statu
s-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><del>-CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: localhost:8443
</ins><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ances
tors-cross-origin.html&q=FAIL","status-code":0}}
</del><ins>+{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","sta
tus-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -11,10 +11,10 @@
</span><span class="cx">
</span><span class="cx"> function navigateToReport()
</span><span class="cx"> {
</span><del>- window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
</del><ins>+ window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><del>-<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</del><ins>+<iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -11,10 +11,10 @@
</span><span class="cx">
</span><span class="cx"> function navigateToReport()
</span><span class="cx"> {
</span><del>- window.location = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
</del><ins>+ window.location = "http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html";
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><del>-<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</del><ins>+<iframe src="http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors
-same-origin.html&q=FAIL","status-code":0}}
</del><ins>+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-c
ode":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><del>-CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Refused to load https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL because it does not appear in the frame-ancestors directive of the Content Security Policy.
</ins><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8443
</ins><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><del>-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancesto
rs-same-origin.html&q=FAIL","status-code":0}}
</del><ins>+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status
-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -15,6 +15,6 @@
</span><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><del>-<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</del><ins>+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -15,6 +15,6 @@
</span><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><del>-<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+../../resources/save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</del><ins>+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL" onload="navigateToReport()"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptblockedsendsmultiplereportsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><span class="lines">@@ -18,6 +19,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span><span class="lines">@@ -28,6 +30,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -10,6 +10,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -10,6 +10,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -9,6 +9,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -9,6 +9,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -11,6 +11,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -11,6 +11,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -9,6 +9,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -9,6 +9,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -3,6 +3,7 @@
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load compass.jpg because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: [Report Only] Refused to load http://localhost:8080/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: localhost:8080
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: localhost:8080
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: localhost:8080
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -2,6 +2,7 @@
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -2,6 +2,7 @@
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -3,6 +3,7 @@
</span><span class="cx"> ALERT: PASS
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -2,6 +2,7 @@
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_COOKIE: hello=world
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_COOKIE: hello=world
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8443
</ins><span class="cx"> HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -6,6 +6,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><ins>+HTTP_HOST: 127.0.0.1:8080
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -11,7 +11,7 @@
</span><span class="cx"> $httpHeaders = $_SERVER;
</span><span class="cx"> ksort($httpHeaders, SORT_STRING);
</span><span class="cx"> foreach ($httpHeaders as $name => $value) {
</span><del>- if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
</del><ins>+ if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") {
</ins><span class="cx"> $value = undoMagicQuotes($value);
</span><span class="cx"> fwrite($reportFile, "$name: $value\n");
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreportscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/json
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreportscripttagfullblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/json
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreportscripttagreplacestateexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -8,6 +8,7 @@
</span><span class="cx"> --------
</span><span class="cx"> CSP report received:
</span><span class="cx"> CONTENT_TYPE: application/json
</span><ins>+HTTP_HOST: 127.0.0.1:8000
</ins><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><span class="cx"> === POST DATA ===
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -1,5 +1,23 @@
</span><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
+ https://bugs.webkit.org/show_bug.cgi?id=162079
+ <rdar://problem/28321575>
+
+ Reviewed by Andy Estes.
+
+ Fixes an issue where a CSP violation report may be sent to the wrong domain when the
+ frame-ancestors directive is violated. In particular, when the frame-ancestors directive
+ is violated for a page that specifies a report URI that is a relative URL then the
+ report URI would be resolved with respect to the parent frame's document URL and hence
+ be sent to the domain of the parent frame's document.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation): Adjust the report URL with respect
+ to the blocked URL when we do not have a script execution context.
+
+2016-09-22 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> [XSS Auditor] HTML5 entities can bypass XSS Auditor
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=161939
</span><span class="cx"> <rdar://problem/25819815>
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (206277 => 206278)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 21:34:12 UTC (rev 206277)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 21:39:29 UTC (rev 206278)
</span><span class="lines">@@ -658,7 +658,7 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
</span><span class="cx"> for (const auto& url : reportURIs)
</span><del>- PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
</del><ins>+ PingLoader::sendViolationReport(*frame, is<Document>(m_scriptExecutionContext) ? document.completeURL(url) : document.completeURL(url, blockedURL), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
</span></span></pre>
</div>
</div>
</body>
</html>