[Webkit-unassigned] [Bug 162079] [CSP] Violation report may be sent to wrong domain on frame-ancestors violation

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 16 12:06:05 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=162079

--- Comment #2 from Daniel Bates <dbates at webkit.org> ---
Note that reporting of a frame-ancestors violation for a document occurs before the URL of that document is known; => we do not have a script execution context. So we make use of the parent frame's document as part of the reporting machinery. Among other things we use the parent frame's document to compute the absolute URL for a CSP report URI that is a relative URL. But we should use the blocked URL as base of this computed absolute URL.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160916/8259b68c/attachment.html>


More information about the webkit-unassigned mailing list