<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[210189] releases/WebKitGTK/webkit-2.14</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/210189">210189</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-12-28 01:35:51 -0800 (Wed, 28 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/206809">r206809</a> - Do not follow redirects when sending violation report
https://bugs.webkit.org/show_bug.cgi?id=162520
<rdar://problem/27957639>
Reviewed by Alex Christensen.
Source/WebCore:
Do not follow redirects when sending a Content Security Policy or XSS Auditor violation report
as redirects can be used to forward report details to a third-party.
This changes makes WebKit more closely conform to the reporting requirements in section Reporting
of the Content Security Level 2 standard: <https://w3c.github.io/webappsec-csp/2/#violation-reports>
(Editor's Draft, 25 April 2016).
Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
* loader/LoaderStrategy.h: Modified createPingHandle() to take a boolean, shouldFollowRedirects,
whether to follow redirect responses for a ping request.
* loader/PingLoader.cpp:
(WebCore::PingLoader::loadImage): Pass ShouldFollowRedirects::Yes to PingLoader::startPingLoad to
keep our current behavior.
(WebCore::PingLoader::sendPing): Ditto. Note our current behavior of following redirects matches
the behavior described in the section "Hyperlink auditing" of the HTML standard:
<https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing> (23 September 2016).
(WebCore::PingLoader::sendViolationReport): Pass ShouldFollowRedirects::No to PingLoader::startPingLoad
so that we do not follow redirects when sending a violation report.
(WebCore::PingLoader::startPingLoad): Modified to take argument shouldFollowRedirects whether to
follow redirect responses for a ping request.
* loader/PingLoader.h:
* platform/network/PingHandle.h: Add boolean m_shouldFollowRedirects. I grouped this boolean with
the existing boolean, m_shouldUseCredentialStorage, as opposed to appending to the end of the class
definition to avoid increasing object size as clang will coalesces the two bools into a single
machine word. Override ResourceHandleClient::willSendRequest() and ResourceHandleClient::willSendRequestAsync()
to follow a redirect, if applicable.
Source/WebKit:
Update implementation of legacy WebKit loader strategy to pass through a boolean,
shouldFollowRedirects, to PingHandle as to whether to follow redirect responses
for a ping request.
* WebCoreSupport/WebResourceLoadScheduler.cpp:
(WebResourceLoadScheduler::createPingHandle):
* WebCoreSupport/WebResourceLoadScheduler.h:
Source/WebKit2:
Update the non-Network Session WebKit2 implementation to follow redirect responses for a ping
request, if applicable. I did not update the Network Session implementation at this time. I
will fix it in <https://bugs.webkit.org/show_bug.cgi?id=162580>.
* NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::loadPing): Tell PingHandle whether to follow redirects.
* NetworkProcess/NetworkLoadParameters.h:
* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode): Encode NetworkResourceLoadParameters::shouldFollowRedirects.
(WebKit::NetworkResourceLoadParameters::decode): Decode NetworkResourceLoadParameters::shouldFollowRedirects.
* NetworkProcess/PingLoad.h: Added FIXME comment to implement support for following redirects,
if applicable (for hyperlink auditing). See <https://bugs.webkit.org/show_bug.cgi?id=162580>
for more details.
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::createPingHandle): Modified to take a boolean whether to follow
redirects responses and set NetworkResourceLoadParameters::shouldFollowRedirects as appropriate.
* WebProcess/Network/WebLoaderStrategy.h:
LayoutTests:
Add tests for Content Security Policy and XSS Auditor to ensure that we do not follow redirects
when sending a violation report. Modified http/tests/security/contentSecurityPolicy/resources/save-report.php
to save the URL of the original ping request and conditionally clear cookies. Modified
http/tests/security/xssAuditor/resources/echo-intertag.pl to support testing for the XSS Auditor.
These changes together with the existing HTTP Host information that is saved with the report we can detect
if a redirect occurred when saving a report.
Updated expected results of existing tests now that we emit the URL of the ping request in the saved report.
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php: Added.
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
* http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
* http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php: Added.
* http/tests/security/contentSecurityPolicy/resources/save-report.php:
* http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
* http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html: Added.
* http/tests/security/xssAuditor/report-script-tag-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
* http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html: Added.
* http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
* http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
* http/tests/security/xssAuditor/resources/echo-intertag.pl:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptblockedsendsmultiplereportsexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicy2expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagreplacestateexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorresourcesechointertagpl">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreloaderLoaderStrategyh">releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/LoaderStrategy.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreloaderPingLoadercpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreloaderPingLoaderh">releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreplatformnetworkPingHandleh">releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/network/PingHandle.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKitChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebKit/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKitWebCoreSupportWebResourceLoadSchedulercpp">releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKitWebCoreSupportWebResourceLoadSchedulerh">releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2ChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkConnectionToWebProcesscpp">releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkLoadParametersh">releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkResourceLoadParameterscpp">releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessPingLoadh">releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/PingLoad.h</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2WebProcessNetworkWebLoaderStrategycpp">releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebKit2WebProcessNetworkWebLoaderStrategyh">releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedurianddonotfollowredirectwhensendingreportexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedurianddonotfollowredirectwhensendingreportphp">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportandredirecttosavereportphp">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttaganddonotfollowredirectwhensendingreportexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttaganddonotfollowredirectwhensendingreporthtml">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockanddonotfollowredirectwhensendingreportexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockanddonotfollowredirectwhensendingreporthtml">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit214LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -1,3 +1,71 @@
</span><ins>+2016-10-05 Daniel Bates <dabates@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Add tests for Content Security Policy and XSS Auditor to ensure that we do not follow redirects
+ when sending a violation report. Modified http/tests/security/contentSecurityPolicy/resources/save-report.php
+ to save the URL of the original ping request and conditionally clear cookies. Modified
+ http/tests/security/xssAuditor/resources/echo-intertag.pl to support testing for the XSS Auditor.
+ These changes together with the existing HTTP Host information that is saved with the report we can detect
+ if a redirect occurred when saving a report.
+
+ Updated expected results of existing tests now that we emit the URL of the ping request in the saved report.
+
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+ * http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+ * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html: Added.
+ * http/tests/security/xssAuditor/report-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt: Added.
+ * http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html: Added.
+ * http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt:
+ * http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt:
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+
</ins><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_HOST: localhost:8000
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL"
;,"status-code":0}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorscrossoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_HOST: localhost:8443
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL&qu
ot;,"status-code":0}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL",&
quot;status-code":0}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11frameancestorsreportframeancestorssameoriginhttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> CONTENT_TYPE: application/csp-report
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8443
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL"
,"status-code":0}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11reporturieffectivedirectiveexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php","referrer":"","violated-directive":"default-src 'self'","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptblockedsendsmultiplereportsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,6 +11,7 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=script-blocked-sends-multiple-reports-report-only
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php","referrer":"","violated-directive":"script-src http://example.com 'unsafe-inline'","effective-directive":"script-src","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.php?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000","status-code":200}}
</span><span class="cx">
</span><span class="lines">@@ -22,6 +23,7 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=script-blocked-sends-multiple-reports-enforced-1
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php","referrer":"","violated-directive":"script-src http://127.0.0.1:8000 'unsafe-inline'","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.php?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000","status-code":200}}
</span><span class="cx">
</span><span class="lines">@@ -33,5 +35,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=script-blocked-sends-multiple-reports-enforced-2
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.php","referrer":"","violated-directive":"script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'","effective-directive":"script-src","original-policy":" script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.php?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashallowedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -13,5 +13,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -13,5 +13,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -12,5 +12,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scripthashblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -12,5 +12,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","referrer":"","violated-directive":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -14,5 +14,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandallowedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -14,5 +14,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-allowed-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -12,5 +12,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","referrer":"","violated-directive":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedbylegacyenforcedpolicyandblockedbyreportpolicy2expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -12,5 +12,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.php","referrer":"","violated-directive":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.php?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportandenforceexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -6,5 +6,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeddatauriexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-data-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"data","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedfileuriexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.php","line-number":9,"column-number":26}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedurianddonotfollowredirectwhensendingreportexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: [Report Only] Refused to load http://127.0.0.1:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8000
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php
+=== POST DATA ===
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockedurianddonotfollowredirectwhensendingreportphp"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<?php
+header("Content-Security-Policy-Report-Only: img-src 'none'; report-uri resources/save-report-and-redirect-to-save-report.php");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<img src="../resources/abe.png"> <!-- Trigger CSP violation -->
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigateToReport()
+{
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+}
+
+// We assume that if redirects were followed when saving the report that they will complete within one second.
+// FIXME: Is there are better way to test that a redirect did not occur?
+window.setTimeout(navigateToReport, 1000);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduricrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://localhost:8080","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportblockeduriexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-uri.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: localhost:8080
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> HTTP_HOST: localhost:8080
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportcrossoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> HTTP_HOST: localhost:8080
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -5,5 +5,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyfromheaderexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -5,5 +5,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -6,5 +6,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginnocookieswhenprivatebrowsingtoggledexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -3,5 +3,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -5,5 +5,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportsameoriginwithcookieswhenprivatebrowsingenabledexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreportstatuscodezerowhenusinghttpsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8443
</span><span class="cx"> HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturiexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifromchildframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -9,5 +9,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.php?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifrominlinejavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-inline-javascript.php","line-number":7,"column-number":10}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturifromjavascriptexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-javascript.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js","line-number":3,"column-number":2}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyreporturischemerelativeexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8080
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"","status-code":200}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportandredirecttosavereportphp"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<?php
+require_once "report-file-path.php";
+
+$DO_NOT_CLEAR_COOKIES = true; // Used by save-report.php
+require_once "save-report.php";
+
+header("HTTP/1.1 307");
+header("Location: save-report.php" . (isset($_SERVER["QUERY_STRING"]) ? "?" . $_SERVER["QUERY_STRING"] : ""));
+?>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecuritycontentSecurityPolicyresourcessavereportphp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,17 +11,20 @@
</span><span class="cx"> $httpHeaders = $_SERVER;
</span><span class="cx"> ksort($httpHeaders, SORT_STRING);
</span><span class="cx"> foreach ($httpHeaders as $name => $value) {
</span><del>- if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE" || $name === "HTTP_HOST") {
</del><ins>+ if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE"
+ || $name === "HTTP_HOST" || $name === "REQUEST_URI") {
</ins><span class="cx"> $value = undoMagicQuotes($value);
</span><span class="cx"> fwrite($reportFile, "$name: $value\n");
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-foreach ($_COOKIE as $name => $value)
- setcookie($name, "deleted", time() - 60, "/");
-
</del><span class="cx"> fwrite($reportFile, "=== POST DATA ===\n");
</span><span class="cx"> fwrite($reportFile, file_get_contents("php://input"));
</span><span class="cx"> fclose($reportFile);
</span><span class="cx"> rename($reportFilePath . ".tmp", $reportFilePath);
</span><ins>+
+if (!isset($DO_NOT_CLEAR_COOKIES) || !$DO_NOT_CLEAR_COOKIES) {
+ foreach ($_COOKIE as $name => $value)
+ setcookie($name, "deleted", time() - 60, "/");
+}
</ins><span class="cx"> ?>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttaganddonotfollowredirectwhensendingreportexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA ===
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttaganddonotfollowredirectwhensendingreporthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/utilities.js"></script>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+ function navigateToReport() {
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+ }
+ // We assume that if redirects were followed when saving the report that they will complete within one second.
+ // FIXME: Is there are better way to test that a redirect did not occur?
+ window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" name="frame" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html&enable-report-with-redirect=1&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script><p>If you see this message, no JavaScript alert(), and a dump of the report below, then the test PASSED.</p>" onload="done()">
+</iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag.html&echo-report=1&enable-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockanddonotfollowredirectwhensendingreportexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_HOST: 127.0.0.1:8000
+HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+=== POST DATA ===
+{"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockanddonotfollowredirectwhensendingreporthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html (0 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/utilities.js"></script>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+
+function done()
+{
+ function navigateToReport() {
+ window.location = "/security/contentSecurityPolicy/resources/echo-report.php";
+ }
+ // We assume that if redirects were followed when saving the report that they will complete within one second.
+ // FIXME: Is there are better way to test that a redirect did not occur?
+ window.setTimeout(navigateToReport, 1000);
+}
+</script>
+</head>
+<body>
+<p>This tests that a redirect is not followed when sending an X-XSS-Protection report. This test PASSED if the filename of the REQUEST_URI in the dumped report is save-report-and-redirect-to-save-report.php. Otherwise, it FAILED.</p>
+<iframe id="frame" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html&enable-full-block-report-with-redirect=1&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script><p>If you see this message, no JavaScript alert(), and a dump of the report below, then the test PASSED.</p>" onload="done()">
+</iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagfullblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-full-block-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -4,5 +4,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-full-block.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-full-block.html&enable-full-block-report=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorreportscripttagreplacestateexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/report-script-tag-replace-state-expected.txt 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -11,5 +11,6 @@
</span><span class="cx"> HTTP_HOST: 127.0.0.1:8000
</span><span class="cx"> HTTP_REFERER: http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E
</span><span class="cx"> REQUEST_METHOD: POST
</span><ins>+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/xssAuditor/report-script-tag-replace-state.html
</ins><span class="cx"> === POST DATA ===
</span><span class="cx"> {"xss-report":{"request-url":"http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/report-script-tag-replace-state.html&test=report-script-tag.html&echo-report=1&enable-report=1&replaceState=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message,%20no%20JavaScript%20alert(),%20and%20a%20dump%20of%20the%20report%20below,%20then%20the%20test%20PASSED.%3C/p%3E","request-body":""}}
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorresourcesechointertagpl"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -19,7 +19,14 @@
</span><span class="cx"> if ($cgi->param('enable-full-block-report')) {
</span><span class="cx"> print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report.php?test=" . $cgi->param('test') . "\n";
</span><span class="cx"> }
</span><ins>+if ($cgi->param('enable-report-with-redirect')) {
+ print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
+if ($cgi->param('enable-full-block-report-with-redirect')) {
+ print "X-XSS-Protection: 1; mode=block; report=/security/contentSecurityPolicy/resources/save-report-and-redirect-to-save-report.php?test=" . $cgi->param('test') . "\n";
+}
</ins><span class="cx">
</span><ins>+
</ins><span class="cx"> if ($cgi->param('valid-header')) {
</span><span class="cx"> if ($cgi->param('valid-header') == 1) {
</span><span class="cx"> print "X-XSS-Protection: 1 ;MoDe = bLocK \n";
</span><span class="lines">@@ -128,7 +135,7 @@
</span><span class="cx"> print " testRunner.notifyDone();\n";
</span><span class="cx"> print "</script>\n";
</span><span class="cx"> }
</span><del>-if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report')) {
</del><ins>+if ($cgi->param('enable-full-block') || $cgi->param('enable-full-block-report') || $cgi->param('enable-full-block-report-with-redirect')) {
</ins><span class="cx"> print "<p>If you see this message then the test FAILED.</p>\n";
</span><span class="cx"> }
</span><span class="cx"> if ($cgi->param('alert-cookie')) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -1,3 +1,41 @@
</span><ins>+2016-10-05 Daniel Bates <dabates@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Do not follow redirects when sending a Content Security Policy or XSS Auditor violation report
+ as redirects can be used to forward report details to a third-party.
+
+ This changes makes WebKit more closely conform to the reporting requirements in section Reporting
+ of the Content Security Level 2 standard: <https://w3c.github.io/webappsec-csp/2/#violation-reports>
+ (Editor's Draft, 25 April 2016).
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-and-do-not-follow-redirect-when-sending-report.php
+ http/tests/security/xssAuditor/report-script-tag-and-do-not-follow-redirect-when-sending-report.html
+ http/tests/security/xssAuditor/report-script-tag-full-block-and-do-not-follow-redirect-when-sending-report.html
+
+ * loader/LoaderStrategy.h: Modified createPingHandle() to take a boolean, shouldFollowRedirects,
+ whether to follow redirect responses for a ping request.
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::loadImage): Pass ShouldFollowRedirects::Yes to PingLoader::startPingLoad to
+ keep our current behavior.
+ (WebCore::PingLoader::sendPing): Ditto. Note our current behavior of following redirects matches
+ the behavior described in the section "Hyperlink auditing" of the HTML standard:
+ <https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing> (23 September 2016).
+ (WebCore::PingLoader::sendViolationReport): Pass ShouldFollowRedirects::No to PingLoader::startPingLoad
+ so that we do not follow redirects when sending a violation report.
+ (WebCore::PingLoader::startPingLoad): Modified to take argument shouldFollowRedirects whether to
+ follow redirect responses for a ping request.
+ * loader/PingLoader.h:
+ * platform/network/PingHandle.h: Add boolean m_shouldFollowRedirects. I grouped this boolean with
+ the existing boolean, m_shouldUseCredentialStorage, as opposed to appending to the end of the class
+ definition to avoid increasing object size as clang will coalesces the two bools into a single
+ machine word. Override ResourceHandleClient::willSendRequest() and ResourceHandleClient::willSendRequestAsync()
+ to follow a redirect, if applicable.
+
</ins><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSP] Violation report may be sent to wrong domain on frame-ancestors violation
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreloaderLoaderStrategyh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/LoaderStrategy.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/LoaderStrategy.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/LoaderStrategy.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx"> virtual void suspendPendingRequests() = 0;
</span><span class="cx"> virtual void resumePendingRequests() = 0;
</span><span class="cx">
</span><del>- virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage) = 0;
</del><ins>+ virtual void createPingHandle(NetworkingContext*, ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) = 0;
</ins><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> virtual ~LoaderStrategy();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreloaderPingLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.cpp (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.cpp 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.cpp 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -93,7 +93,7 @@
</span><span class="cx"> request.setHTTPReferrer(referrer);
</span><span class="cx"> frame.loader().addExtraFieldsToSubresourceRequest(request);
</span><span class="cx">
</span><del>- startPingLoad(frame, request);
</del><ins>+ startPingLoad(frame, request, ShouldFollowRedirects::Yes);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#hyperlink-auditing
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- startPingLoad(frame, request);
</del><ins>+ startPingLoad(frame, request, ShouldFollowRedirects::Yes);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void PingLoader::sendViolationReport(Frame& frame, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType reportType)
</span><span class="lines">@@ -176,10 +176,10 @@
</span><span class="cx"> if (!referrer.isEmpty())
</span><span class="cx"> request.setHTTPReferrer(referrer);
</span><span class="cx">
</span><del>- startPingLoad(frame, request);
</del><ins>+ startPingLoad(frame, request, ShouldFollowRedirects::No);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request)
</del><ins>+void PingLoader::startPingLoad(Frame& frame, ResourceRequest& request, ShouldFollowRedirects shouldFollowRedirects)
</ins><span class="cx"> {
</span><span class="cx"> unsigned long identifier = frame.page()->progress().createUniqueIdentifier();
</span><span class="cx"> // FIXME: Why activeDocumentLoader? I would have expected documentLoader().
</span><span class="lines">@@ -191,7 +191,7 @@
</span><span class="cx">
</span><span class="cx"> InspectorInstrumentation::continueAfterPingLoader(frame, identifier, frame.loader().activeDocumentLoader(), request, ResourceResponse());
</span><span class="cx">
</span><del>- platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage);
</del><ins>+ platformStrategies()->loaderStrategy()->createPingHandle(frame.loader().networkingContext(), request, shouldUseCredentialStorage, shouldFollowRedirects == ShouldFollowRedirects::Yes);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreloaderPingLoaderh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/loader/PingLoader.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -53,7 +53,8 @@
</span><span class="cx"> static void sendViolationReport(Frame&, const URL& reportURL, RefPtr<FormData>&& report, ViolationReportType);
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- static void startPingLoad(Frame&, ResourceRequest&);
</del><ins>+ enum class ShouldFollowRedirects { No, Yes };
+ static void startPingLoad(Frame&, ResourceRequest&, ShouldFollowRedirects);
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreplatformnetworkPingHandleh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/network/PingHandle.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/network/PingHandle.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/network/PingHandle.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -43,9 +43,10 @@
</span><span class="cx"> No,
</span><span class="cx"> };
</span><span class="cx">
</span><del>- PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks)
</del><ins>+ PingHandle(NetworkingContext* networkingContext, const ResourceRequest& request, bool shouldUseCredentialStorage, UsesAsyncCallbacks useAsyncCallbacks, bool shouldFollowRedirects)
</ins><span class="cx"> : m_timeoutTimer(*this, &PingHandle::timeoutTimerFired)
</span><span class="cx"> , m_shouldUseCredentialStorage(shouldUseCredentialStorage)
</span><ins>+ , m_shouldFollowRedirects(shouldFollowRedirects)
</ins><span class="cx"> , m_usesAsyncCallbacks(useAsyncCallbacks)
</span><span class="cx"> {
</span><span class="cx"> m_handle = ResourceHandle::create(networkingContext, request, this, false, false);
</span><span class="lines">@@ -56,6 +57,18 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ ResourceRequest willSendRequest(ResourceHandle*, ResourceRequest&& request, ResourceResponse&&) final
+ {
+ return m_shouldFollowRedirects ? request : ResourceRequest();
+ }
+ void willSendRequestAsync(ResourceHandle* handle, ResourceRequest&& request, ResourceResponse&&) final
+ {
+ if (m_shouldFollowRedirects) {
+ handle->continueWillSendRequest(WTFMove(request));
+ return;
+ }
+ delete this;
+ }
</ins><span class="cx"> void didReceiveResponse(ResourceHandle*, ResourceResponse&&) override { delete this; }
</span><span class="cx"> void didReceiveBuffer(ResourceHandle*, Ref<SharedBuffer>&&, int) override { delete this; };
</span><span class="cx"> void didFinishLoading(ResourceHandle*, double) override { delete this; }
</span><span class="lines">@@ -76,6 +89,7 @@
</span><span class="cx"> RefPtr<ResourceHandle> m_handle;
</span><span class="cx"> Timer m_timeoutTimer;
</span><span class="cx"> bool m_shouldUseCredentialStorage;
</span><ins>+ bool m_shouldFollowRedirects;
</ins><span class="cx"> UsesAsyncCallbacks m_usesAsyncCallbacks;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit/ChangeLog (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit/ChangeLog 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit/ChangeLog 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2016-10-05 Daniel Bates <dabates@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Update implementation of legacy WebKit loader strategy to pass through a boolean,
+ shouldFollowRedirects, to PingHandle as to whether to follow redirect responses
+ for a ping request.
+
+ * WebCoreSupport/WebResourceLoadScheduler.cpp:
+ (WebResourceLoadScheduler::createPingHandle):
+ * WebCoreSupport/WebResourceLoadScheduler.h:
+
</ins><span class="cx"> 2016-08-25 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><span class="cx"> CMake build fix.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKitWebCoreSupportWebResourceLoadSchedulercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.cpp 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -366,9 +366,9 @@
</span><span class="cx"> return m_requestsLoading.size() >= (webResourceLoadScheduler().isSerialLoadingEnabled() ? 1 : m_maxRequestsInFlight);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
</del><ins>+void WebResourceLoadScheduler::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
</ins><span class="cx"> {
</span><span class="cx"> // PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
</span><del>- new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No);
</del><ins>+ new PingHandle(networkingContext, request, shouldUseCredentialStorage, PingHandle::UsesAsyncCallbacks::No, shouldFollowRedirects);
</ins><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKitWebCoreSupportWebResourceLoadSchedulerh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit/WebCoreSupport/WebResourceLoadScheduler.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx"> void suspendPendingRequests() override;
</span><span class="cx"> void resumePendingRequests() override;
</span><span class="cx">
</span><del>- void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
</del><ins>+ void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
</ins><span class="cx">
</span><span class="cx"> bool isSerialLoadingEnabled() const { return m_isSerialLoadingEnabled; }
</span><span class="cx"> void setSerialLoadingEnabled(bool b) { m_isSerialLoadingEnabled = b; }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2016-10-05 Daniel Bates <dabates@apple.com>
+
+ Do not follow redirects when sending violation report
+ https://bugs.webkit.org/show_bug.cgi?id=162520
+ <rdar://problem/27957639>
+
+ Reviewed by Alex Christensen.
+
+ Update the non-Network Session WebKit2 implementation to follow redirect responses for a ping
+ request, if applicable. I did not update the Network Session implementation at this time. I
+ will fix it in <https://bugs.webkit.org/show_bug.cgi?id=162580>.
+
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::loadPing): Tell PingHandle whether to follow redirects.
+ * NetworkProcess/NetworkLoadParameters.h:
+ * NetworkProcess/NetworkResourceLoadParameters.cpp:
+ (WebKit::NetworkResourceLoadParameters::encode): Encode NetworkResourceLoadParameters::shouldFollowRedirects.
+ (WebKit::NetworkResourceLoadParameters::decode): Decode NetworkResourceLoadParameters::shouldFollowRedirects.
+ * NetworkProcess/PingLoad.h: Added FIXME comment to implement support for following redirects,
+ if applicable (for hyperlink auditing). See <https://bugs.webkit.org/show_bug.cgi?id=162580>
+ for more details.
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::WebLoaderStrategy::createPingHandle): Modified to take a boolean whether to follow
+ redirects responses and set NetworkResourceLoadParameters::shouldFollowRedirects as appropriate.
+ * WebProcess/Network/WebLoaderStrategy.h:
+
</ins><span class="cx"> 2016-09-19 Anders Carlsson <andersca@apple.com>
</span><span class="cx">
</span><span class="cx"> Suppress JavaScript prompts early on in certain cases
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkConnectionToWebProcesscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkConnectionToWebProcess.cpp 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -143,7 +143,7 @@
</span><span class="cx"> RefPtr<NetworkingContext> context = RemoteNetworkingContext::create(loadParameters.sessionID, loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect);
</span><span class="cx">
</span><span class="cx"> // PingHandle manages its own lifetime, deleting itself when its purpose has been fulfilled.
</span><del>- new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes);
</del><ins>+ new PingHandle(context.get(), loadParameters.request, loadParameters.allowStoredCredentials == AllowStoredCredentials, PingHandle::UsesAsyncCallbacks::Yes, loadParameters.shouldFollowRedirects);
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkLoadParametersh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkLoadParameters.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> WebCore::ContentSniffingPolicy contentSniffingPolicy { WebCore::SniffContent };
</span><span class="cx"> WebCore::StoredCredentials allowStoredCredentials { WebCore::DoNotAllowStoredCredentials };
</span><span class="cx"> WebCore::ClientCredentialPolicy clientCredentialPolicy { WebCore::ClientCredentialPolicy::CannotAskClientForCredentials };
</span><ins>+ bool shouldFollowRedirects { true };
</ins><span class="cx"> bool shouldClearReferrerOnHTTPSToHTTPRedirect { true };
</span><span class="cx"> bool defersLoading { false };
</span><span class="cx"> bool needsCertificateInfo { false };
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessNetworkResourceLoadParameterscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/NetworkResourceLoadParameters.cpp 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -75,6 +75,7 @@
</span><span class="cx"> encoder.encodeEnum(contentSniffingPolicy);
</span><span class="cx"> encoder.encodeEnum(allowStoredCredentials);
</span><span class="cx"> encoder.encodeEnum(clientCredentialPolicy);
</span><ins>+ encoder << shouldFollowRedirects;
</ins><span class="cx"> encoder << shouldClearReferrerOnHTTPSToHTTPRedirect;
</span><span class="cx"> encoder << defersLoading;
</span><span class="cx"> encoder << needsCertificateInfo;
</span><span class="lines">@@ -130,6 +131,8 @@
</span><span class="cx"> return false;
</span><span class="cx"> if (!decoder.decodeEnum(result.clientCredentialPolicy))
</span><span class="cx"> return false;
</span><ins>+ if (!decoder.decode(result.shouldFollowRedirects))
+ return false;
</ins><span class="cx"> if (!decoder.decode(result.shouldClearReferrerOnHTTPSToHTTPRedirect))
</span><span class="cx"> return false;
</span><span class="cx"> if (!decoder.decode(result.defersLoading))
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2NetworkProcessPingLoadh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/PingLoad.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/PingLoad.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/NetworkProcess/PingLoad.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -50,6 +50,7 @@
</span><span class="cx"> private:
</span><span class="cx"> void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&& completionHandler) override
</span><span class="cx"> {
</span><ins>+ // FIXME: Follow redirects for hyperlink auditing. See <https://bugs.webkit.org/show_bug.cgi?id=162580>.
</ins><span class="cx"> completionHandler({ });
</span><span class="cx"> delete this;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2WebProcessNetworkWebLoaderStrategycpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -331,7 +331,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage)
</del><ins>+void WebLoaderStrategy::createPingHandle(NetworkingContext* networkingContext, ResourceRequest& request, bool shouldUseCredentialStorage, bool shouldFollowRedirects)
</ins><span class="cx"> {
</span><span class="cx"> // It's possible that call to createPingHandle might be made during initial empty Document creation before a NetworkingContext exists.
</span><span class="cx"> // It is not clear that we should send ping loads during that process anyways.
</span><span class="lines">@@ -347,6 +347,7 @@
</span><span class="cx"> loadParameters.request = request;
</span><span class="cx"> loadParameters.sessionID = webPage ? webPage->sessionID() : SessionID::defaultSessionID();
</span><span class="cx"> loadParameters.allowStoredCredentials = shouldUseCredentialStorage ? AllowStoredCredentials : DoNotAllowStoredCredentials;
</span><ins>+ loadParameters.shouldFollowRedirects = shouldFollowRedirects;
</ins><span class="cx"> loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = networkingContext->shouldClearReferrerOnHTTPSToHTTPRedirect();
</span><span class="cx">
</span><span class="cx"> WebProcess::singleton().networkConnection().connection().send(Messages::NetworkConnectionToWebProcess::LoadPing(loadParameters), 0);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebKit2WebProcessNetworkWebLoaderStrategyh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h (210188 => 210189)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h 2016-12-28 09:35:01 UTC (rev 210188)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.h 2016-12-28 09:35:51 UTC (rev 210189)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx"> void suspendPendingRequests() override;
</span><span class="cx"> void resumePendingRequests() override;
</span><span class="cx">
</span><del>- void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage) override;
</del><ins>+ void createPingHandle(WebCore::NetworkingContext*, WebCore::ResourceRequest&, bool shouldUseCredentialStorage, bool shouldFollowRedirects) override;
</ins><span class="cx">
</span><span class="cx"> WebResourceLoader* webResourceLoaderForIdentifier(ResourceLoadIdentifier identifier) const { return m_webResourceLoaders.get(identifier); }
</span><span class="cx"> RefPtr<WebCore::NetscapePlugInStreamLoader> schedulePluginStreamLoad(WebCore::Frame&, WebCore::NetscapePlugInStreamLoaderClient&, const WebCore::ResourceRequest&);
</span></span></pre>
</div>
</div>
</body>
</html>