Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Add support for COEP violation reporting
https://bugs.webkit.org/show_bug.cgi?id=244985 Reviewed by Brent Fulgham. Add support for COEP violation reporting: - https://html.spec.whatwg.org/multipage/origin.html#queue-a-cross-origin-embedder-policy-inheritance-violation - https://fetch.spec.whatwg.org/#queue-a-cross-origin-embedder-policy-corp-violation-report * LayoutTests/TestExpectations: * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/reporting-navigation.https-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/reporting-subresource-corp.https-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/reporting-to-document-reporting-endpoint.https.window-expected.txt: * Source/WebCore/DerivedSources-input.xcfilelist: * Source/WebCore/DerivedSources-output.xcfilelist: * Source/WebCore/DerivedSources.make: * Source/WebCore/Modules/reporting/Report.cpp: (WebCore::Report::createReportFormDataForViolation): * Source/WebCore/Modules/reporting/Report.h: * Source/WebCore/Modules/reporting/ReportBody.cpp: * Source/WebCore/Modules/reporting/ReportingClient.h: * Source/WebCore/Modules/reporting/ReportingObserver.cpp: (WebCore::isVisibleToReportingObservers): * Source/WebCore/Modules/reporting/ViolationReportType.h: * Source/WebCore/Sources.txt: * Source/WebCore/WebCore.xcodeproj/project.pbxproj: * Source/WebCore/bindings/js/JSReportBodyCustom.cpp: (WebCore::toJSNewlyCreated): * Source/WebCore/dom/Document.cpp: (WebCore::Document::sendReportToEndpoints): * Source/WebCore/dom/Document.h: * Source/WebCore/loader/COEPInheritenceViolationReportBody.cpp: Copied from Source/WebCore/Modules/reporting/Report.cpp. (WebCore::COEPInheritenceViolationReportBody::create): (WebCore::COEPInheritenceViolationReportBody::COEPInheritenceViolationReportBody): (WebCore::COEPInheritenceViolationReportBody::disposition const): * Source/WebCore/loader/COEPInheritenceViolationReportBody.h: Copied from Source/WebCore/Modules/reporting/Report.h. (WebCore::COEPInheritenceViolationReportBody::blockedURL const): (WebCore::COEPInheritenceViolationReportBody::encode const): (WebCore::COEPInheritenceViolationReportBody::decode): (isType): * Source/WebCore/loader/COEPInheritenceViolationReportBody.idl: Copied from Source/WebCore/Modules/reporting/ReportBody.cpp. * Source/WebCore/loader/CORPViolationReportBody.cpp: Copied from Source/WebCore/Modules/reporting/Report.cpp. (WebCore::CORPViolationReportBody::create): (WebCore::CORPViolationReportBody::CORPViolationReportBody): (WebCore::CORPViolationReportBody::type const): (WebCore::CORPViolationReportBody::disposition const): (WebCore::CORPViolationReportBody::destination const): * Source/WebCore/loader/CORPViolationReportBody.h: Added. (WebCore::CORPViolationReportBody::blockedURL const): (WebCore::CORPViolationReportBody::encode const): (WebCore::CORPViolationReportBody::decode): (isType): * Source/WebCore/loader/CORPViolationReportBody.idl: Copied from Source/WebCore/Modules/reporting/ReportBody.cpp. * Source/WebCore/loader/CrossOriginEmbedderPolicy.cpp: (WebCore::sendCOEPInheritenceViolation): (WebCore::sendCOEPCORPViolation): * Source/WebCore/loader/CrossOriginEmbedderPolicy.h: * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::sendViolationReportWhenNavigatingToCOOPResponse): (WebCore::sendViolationReportWhenNavigatingAwayFromCOOPResponse): (WebCore::createViolationReportObject): Deleted. * Source/WebCore/loader/PingLoader.cpp: (WebCore::PingLoader::sendViolationReport): * Source/WebCore/loader/PingLoader.h: * Source/WebCore/page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::reportViolation const): * Source/WebCore/workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::sendReportToEndpoints): * Source/WebCore/workers/WorkerGlobalScope.h: * Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp: (WebKit::contextURLforCORPViolation): (WebKit::performCORPCheck): * Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp: (WebKit::NetworkResourceLoadParameters::encode const): (WebKit::NetworkResourceLoadParameters::decode): * Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h: * Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp: (WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): (WebKit::NetworkResourceLoader::shouldInterruptNavigationForCrossOriginEmbedderPolicy): (WebKit::NetworkResourceLoader::shouldInterruptWorkerLoadForCrossOriginEmbedderPolicy): (WebKit::NetworkResourceLoader::frameIdentifierForReport const): (WebKit::NetworkResourceLoader::notifyReportObservers): (WebKit::NetworkResourceLoader::sendReportToEndpoints): * Source/WebKit/NetworkProcess/NetworkResourceLoader.h: * Source/WebKit/Shared/WebCoreArgumentCoders.cpp: (IPC::ArgumentCoder<RefPtr<WebCore::ReportBody>>::encode): (IPC::ArgumentCoder<RefPtr<WebCore::ReportBody>>::decode): * Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp: (WebKit::addParametersShared): (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess): (WebKit::WebLoaderStrategy::startPingLoad): * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::sendReportToEndpoints): * Source/WebKit/WebProcess/WebPage/WebPage.h: * Source/WebKit/WebProcess/WebPage/WebPage.messages.in: Canonical link: https://commits.webkit.org/254466@main
- Loading branch information
Showing
58 changed files
with
711 additions
and
144 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,6 @@ | ||
| CONSOLE MESSAGE: Refused to load https://localhost:9443/common/blank.html?pipe=header(x-frame-options,%20deny) because it does not appear in the frame-src directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: Refused to load https://localhost:9443/common/blank.html because it does not appear in the frame-src directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: Refused to load https://localhost:9443/common/blank.html because it does not appear in the frame-src directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: Refused to display 'https://localhost:9443/common/blank.html?pipe=header(x-frame-options,%20deny)' in a frame because it set 'X-Frame-Options' to 'deny'. | ||
|
|
||
| PASS CSP check precedes X-Frame-Options check | ||
| PASS CSP check precedes COEP check - CSP header first | ||
| PASS CSP check precedes COEP check - COEP header first | ||
| FAIL COEP check precedes X-Frame-Options check assert_equals: expected (string) "coep" but got (object) null | ||
| PASS COEP check precedes X-Frame-Options check | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
|
|
||
| FAIL Prevent local scheme documents from loading within a COEP: require-corp iframe if they inherit COEP: none assert_equals: expected 3 but got 0 | ||
| FAIL Prevent local scheme documents from loading within a COEP: require-corp iframe if they inherit COEP: none assert_equals: expected 3 but got 1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,47 +1,32 @@ | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-embedder-policy,require-corp) because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-embedder-policy,require-corp) because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/common/blank.html?pipe= because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/common/blank.html?pipe= because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)' in a frame because of Cross-Origin-Embedder-Policy. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)' in a frame because of Cross-Origin-Embedder-Policy. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin)' in a frame because of Cross-Origin-Embedder-Policy. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin)' in a frame because of Cross-Origin-Embedder-Policy. | ||
| CONSOLE MESSAGE: Refused to load https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)|header(content-security-policy,frame-ancestors%20%27none%27) because it does not appear in the frame-ancestors directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: Refused to load https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)|header(content-security-policy,frame-ancestors%20%27none%27) because it does not appear in the frame-ancestors directive of the Content Security Policy. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny)' in a frame because it set 'X-Frame-Options' to 'deny'. | ||
| CONSOLE MESSAGE: Refused to display 'https://127.0.0.1:9443/common/blank.html?pipe=|header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny)' in a frame because it set 'X-Frame-Options' to 'deny'. | ||
|
|
||
|
|
||
| Harness Error (TIMEOUT), message = null | ||
|
|
||
| PASS parent: (none), target: (none), with empty frame: false | ||
| PASS parent: (none), target: (none), with empty frame: true | ||
| PASS parent: (none), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: false | ||
| PASS parent: (none), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: true | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: true Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: (none), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: (none), with empty frame: true Test timed out | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: (none), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: (none), with empty frame: true | ||
| PASS parent: (none), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: (none), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: true Test timed out | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| PASS parent: (none), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: (none), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: true Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: (none), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: (none), with empty frame: true Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: true Test timed out | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: (none), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: (none), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy-report-only,require-corp), target: |header(cross-origin-embedder-policy,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: true Test timed out | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-embedder-policy-report-only,require-corp)|header(cross-origin-resource-policy,cross-origin), with empty frame: true | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(content-security-policy,frame-ancestors 'none'), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(content-security-policy,frame-ancestors 'none'), with empty frame: true | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny), with empty frame: false Test timed out | ||
| TIMEOUT parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny), with empty frame: true Test timed out | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny), with empty frame: false | ||
| PASS parent: |header(cross-origin-embedder-policy,require-corp), target: |header(cross-origin-resource-policy,cross-origin)|header(x-frame-options,deny), with empty frame: true | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,26 @@ | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Fetch API cannot load https://127.0.0.1:9443/html/cross-origin-embedder-policy/resources/nothing-same-origin-corp.txt due to access control checks. | ||
| CONSOLE MESSAGE: Cancelled load to https://127.0.0.1:9443/common/text-plain.txt because it violates the resource's Cross-Origin-Resource-Policy response header. | ||
| CONSOLE MESSAGE: Fetch API cannot load https://127.0.0.1:9443/common/text-plain.txt due to access control checks. | ||
|
|
||
|
|
||
| Harness Error (TIMEOUT), message = null | ||
|
|
||
| PASS [document] same-origin | ||
| PASS [document] blocked by CORP: same-origin | ||
| TIMEOUT [document] blocked due to COEP Test timed out | ||
| NOTRUN [document] blocked during redirect | ||
| NOTRUN [dedicated worker] same-origin | ||
| NOTRUN [dedicated worker] blocked by CORP: same-origin | ||
| NOTRUN [dedicated worker] blocked due to COEP | ||
| NOTRUN [dedicated worker] blocked during redirect | ||
| NOTRUN [shared worker] same-origin | ||
| NOTRUN [shared worker] blocked by CORP: same-origin | ||
| NOTRUN [shared worker] blocked due to COEP | ||
| NOTRUN [shared worker] blocked during redirect | ||
| NOTRUN [service worker] same-origin | ||
| NOTRUN [service worker] blocked by CORP: same-origin | ||
| NOTRUN [service worker] blocked due to COEP | ||
| NOTRUN [service worker] blocked during redirect | ||
| NOTRUN [between service worker and page] same-origin | ||
| NOTRUN [between service worker and page] blocked by CORP: same-origin | ||
| NOTRUN [between service worker and page] blocked due to COEP | ||
| PASS [document] blocked due to COEP | ||
| PASS [document] blocked during redirect | ||
| PASS [dedicated worker] same-origin | ||
| PASS [dedicated worker] blocked by CORP: same-origin | ||
| FAIL [dedicated worker] blocked due to COEP assert_equals: expected 2 but got 0 | ||
| FAIL [dedicated worker] blocked during redirect assert_equals: expected 2 but got 0 | ||
| PASS [shared worker] same-origin | ||
| PASS [shared worker] blocked by CORP: same-origin | ||
| FAIL [shared worker] blocked due to COEP assert_equals: expected 2 but got 0 | ||
| FAIL [shared worker] blocked during redirect assert_equals: expected 2 but got 0 | ||
| PASS [service worker] same-origin | ||
| PASS [service worker] blocked by CORP: same-origin | ||
| FAIL [service worker] blocked due to COEP assert_equals: expected 2 but got 0 | ||
| FAIL [service worker] blocked during redirect assert_equals: expected 2 but got 0 | ||
| PASS [between service worker and page] same-origin | ||
| PASS [between service worker and page] blocked by CORP: same-origin | ||
| TIMEOUT [between service worker and page] blocked due to COEP Test timed out | ||
| NOTRUN [between service worker and page] blocked during redirect | ||
| NOTRUN destination: script | ||
|
|
Oops, something went wrong.