[Webkit-unassigned] [Bug 61360] New: Content Security Policy reports should be reported with content-type application/json, should contain all required fields

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 24 06:17:23 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=61360

           Summary: Content Security Policy reports should be reported
                    with content-type application/json, should contain all
                    required fields
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jeffstewart at google.com
                CC: jeffstewart at google.com


Using MacOS nightly webkit build 87124, Content-Security-Policy violations are being reported with content-type application/x-www-form-urlencoded (and the payload is indeed form encoded).  The spec (http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri) says:

The violation report must be sent via an HTTP POST request whose body is comprised of a JSON object containing violation information, and the request must have a Content-Type of application/json.

On a related note, the report does not contain the blocked-uri field:

http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#violation-report-syntax

Shows that the following fields should be sent:

request: HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version
request-headers: HTTP request headers sent with the request for the protected resource whose policy was violated
blocked-uri: URI of the resource that was prevented from loading due to the policy violation
violated-directive: The policy directive that was violated
original-policy: The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies.

To reproduce:

The python script at the end of this report will reproduce the problem.  Here's an example capture of a CSP report sent to that server (Cookie header elided, hostnames blacked out):

Host: XXXXXXXX.XXX.XXXX.XXXXXX.com:10000
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_4) AppleWebKit/535.1+ (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Content-Type: application/x-www-form-urlencoded
Referer: http://XXXXXXXX.XXX.XXXX.XXXXXX.com:10002/
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Content-Length: 107
Connection: keep-alive

document-url=http%3A%2F%2FXXXXXXXX.XXX.XXXX.XXXXXX.com%3A10000%2F&violated-directive=default-src+%27self%27

Here's a python script that can help reproduce the issue:

from BaseHTTPServer import BaseHTTPRequestHandler
import socket
import SocketServer
import sys

DOCUMENT = """<html><head></head><body>Hi
<img src="http://some.other.server/does/not/exist.jpg"></body></html>"""
PORT = 10000

class MyHandler(BaseHTTPRequestHandler):
  def do_POST(self):
    print self.headers
    bytes = int(self.headers['Content-Length'])
    payload = self.rfile.read(bytes)
    print payload
    self.send_response(200)
    self.end_headers()

  def do_GET(self):
    path = self.path.split('?', 1)[0]
    path = path.split('#', 1)[0]
    if path != '/':
      self.send_response(404)
      return
    ctype = 'text/html'
    length = len(DOCUMENT)
    self.send_response(200)
    # This is supposed to be default-src rather than allow.
    # It will probably break sometime in the future.
    self.send_header('X-Content-Security-Policy-Report-Only',
                     'allow https: data:; '
                     'report-uri http://%s:%s/csp-report' % (
                         socket.gethostname(), PORT))
    # Report-Only is not in the Chrome canary build yet.
    self.send_header('X-WebKit-CSP', 'default-src \'self\'; '
                     'report-uri http://%s:%d/csp-report' % (
                         socket.gethostname(), PORT))
    self.send_header('Content-Type', ctype)
    self.send_header('Content-Length', str(length))
    self.end_headers()
    print >>self.wfile, DOCUMENT,

def main(argv):
  global PORT
  if len(argv) > 1:
    PORT = int(argv[1])
  print 'Listening at http://%s:%d/' % (socket.gethostname(), PORT)
  httpd = SocketServer.TCPServer(("", PORT), MyHandler)
  httpd.serve_forever()



if __name__ == '__main__':
  main(sys.argv)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list