[Webkit-unassigned] [Bug 159830] CSP: Report nonce violations in report-only polices

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 15 15:03:21 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=159830

--- Comment #1 from Daniel Bates <dbates at webkit.org> ---
(In reply to comment #0)
> We should send a CSP violation report and log a console message when there
> is a nonce violation in a report-only policy.

Further elaborating, we need to send a CSP violation report and log a console message for each report-only that does not contain the nonce even if the nonce is found in all enforced policies. For example:

...
Content-Security-Policy-Report-Only: script-src 'nonce-NonExistentNonce'
Content-Security-Policy: script-src 'nonce-A'
...
<html>
<body>
<script nonce="A">...</script>
</body>
</html>

This should send exactly one CSP violation report and log exactly one console message that explains that the nonce "A" was not found in the report-only policy.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160715/9c1cb03b/attachment.html>


More information about the webkit-unassigned mailing list