<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Violation report should include HTTP status code of protected resource"

   href="https://bugs.webkit.org/show_bug.cgi?id=154288">154288</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Violation report should include HTTP status code of protected resource

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>WebExposed

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>webkit-bug-importer&#64;group.apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The Content Security Policy violation report should include the HTTP status code of the protected resource as per &lt;<a href="https://w3c.github.io/webappsec-csp/2/#violation-reports">https://w3c.github.io/webappsec-csp/2/#violation-reports</a>&gt; (29 August 2015):

[[

4.4. Reporting

...

To generate a violation report object, the user agent MUST use an algorithm equivalent to the following:

Prepare a JSON object violation with the following keys and values:

    blocked-uri

        The originally requested URL of the resource that was prevented from loading, stripped for reporting, or 

        the empty string if the resource has no URL (inline script and inline style, for example).

...

    status-code

        The status-code of the HTTP response that contained the protected resource, if the protected resource was

        obtained over HTTP. Otherwise, the number 0.

...

]]</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>