[Webkit-unassigned] [Bug 115702] New: CSP: Suppress stored credentials when sending cross-origin violation reports.

Mon May 6 20:12:02 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=115702

           Summary: CSP: Suppress stored credentials when sending
                    cross-origin violation reports.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rniwa at webkit.org
                CC: ap at webkit.org, beidson at apple.com

We should consider merging
https://chromium.googlesource.com/chromium/blink/+/d2b1d6072cc7c5bf6de86cf3b834228e754b05b1

CSP: Suppress stored credentials when sending cross-origin violation reports.

The spec recently changed to mandate that cross-origin violation reports be POSTed
without cookies[1]. This patch changes PingLoader::PingLoader to accept a
StoredCredentials argument, and ensures that PingLoader::sendViolationReport sets
it correctly based on the origins of the protected resource and the reporting endpoint.

Two tests are included, which required the addition of CORS headers to 
http/tests/cookies/resources/setCookies.cgi in order to synchronously set cookies
cross-origin via XHR. Additionally, the reporting endpoint was updated to write the
cookie header into the output, and then clear any set cookies so as not to leak into
other tests.

[1]: https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.