Skip to content
Permalink
Browse files
[Reporting API] Hook up to Content-Security-Policy 'report-to' directive
https://bugs.webkit.org/show_bug.cgi?id=244143
<rdar://problem/98900892>

Reviewed by Ryosuke Niwa.

Implement the stubs from Bug 243908 so that we can generate Reporting API reports for Content Security Policy rules.

This patch does the following:

1. Adds support for the "Reporting-Endpoints" header.
2. Exposes a Reporting object on Document and WorkerGlobalScope that can handle reports.
3. Implements a CSSViolationReportBody class (and JS binding)
4. Update the ContentSecurityPolicy implementation to generate a CSSViolationReportBody when the CSP directives include a report-to declaration.
5. Revises the CSP implementation to construct the JSON report body to match the new specification.

* Source/WTF/wtf/URL.cpp:
(WTF::URL::strippedForUseAsReferrerWithExplicitPort): Added.
* Source/WTF/wtf/URL.h:
* Source/WebCore/CMakeLists.txt: Update for new files.
* Source/WebCore/DerivedSources-input.xcfilelist: Ditto.
* Source/WebCore/DerivedSources-input.xcfilelist: Ditto.
* Source/WebCore/DerivedSources.make: Ditto.
* Source/WebCore/CMakeLists.txt: Ditto.
* Source/WebCore/Headers.cmake: Ditto.
* Source/WebCore/Modules/reporting/Report.cpp: Added.
* Source/WebCore/Modules/reporting/Report.h: Added.
* Source/WebCore/Modules/reporting/Report.idl: Added.
* Source/WebCore/Modules/reporting/ReportBody.cpp: Added.
* Source/WebCore/Modules/reporting/ReportBody.h: Added.
* Source/WebCore/Modules/reporting/ReportBody.idl: Added.
* Source/WebCore/Modules/reporting/ReportingClient.h: Added.
* Source/WebCore/Modules/reporting/ReportingObserver.cpp: Added.
* Source/WebCore/Modules/reporting/ReportingObserver.h: Added.
* Source/WebCore/Modules/reporting/ReportingObserver.idl: Added.
* Source/WebCore/Modules/reporting/ReportingObserver.idl: Added.
* Source/WebCore/Modules/reporting/ReportingScope.cpp: Added.
* Source/WebCore/Modules/reporting/ReportingScope.h: Added.
* Source/WebCore/Sources.txt: Update for new files.
* Source/WebCore/bindings/js/JSReportBodyCustom.cpp: Added.
* Source/WebCore/bindings/js/WebCoreBuiltinNames.h: Updated for new types.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::notifyReportObservers): Added.
(WebCore::Document::endpointURIForToken const): Added.
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/SecurityPolicyViolationEvent.h: Move SecurityPolicyViolationEventDisposition
definition to new file to allow sharing with CSP.
* Source/WebCore/dom/SecurityPolicyViolationEvent.idl: Ditto.
* Source/WebCore/dom/SecurityPolicyViolationEventDisposition.h: Added.
* Source/WebCore/dom/SecurityPolicyViolationEventDisposition.idl: Added.
* Source/WebCore/dom/TaskSource.h: Added new Reporting Task type.
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Revise to pass new arguments to CSP constructor.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument): Capture report-to endpoints for later use.
* Source/WebCore/loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Register reporting observer.
* Source/WebCore/page/csp/CSPViolationReportBody.cpp: Added.
* Source/WebCore/page/csp/CSPViolationReportBody.h: Added.
* Source/WebCore/page/csp/CSPViolationReportBody.idl: Added.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::reportingClientForContext): Added.
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Update to capture reporting client.
(WebCore::ContentSecurityPolicy::reportViolation const): Revise to create modern Reporting API
report, when used.
* Source/WebCore/page/csp/ContentSecurityPolicy.h:
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp: Parse new report-to directive.
(WebCore::ContentSecurityPolicyDirectiveList::create): Check for report-uri and report-to when validating CSP.
(WebCore::ContentSecurityPolicyDirectiveList::parseReportTo): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Update to handle report-to.
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp: Add report-to.
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::isCSPDirectiveName): Update to handle report-to.
* Source/WebCore/platform/network/HTTPHeaderNames.in: Add 'Reporting-Endpoints'
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::notifyReportObservers):
(WebCore::WorkerGlobalScope::endpointURIForToken const):
* Source/WebCore/workers/WorkerGlobalScope.h:
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): Parse Report-To Header.
(WebKit::NetworkResourceLoader::notifyReportObservers): Added to implement ReportClient interface.
(WebKit::NetworkResourceLoader::endpointURIForToken): Ditto.
* Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::contentSecurityPolicy): Initialize reporting client.
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::doCrossOriginOpenerHandlingOfResponse): Initialize reporting client.
(WebKit::NetworkResourceLoader::endpointURIForToken const): Added to implement ReportClient interface.
* Source/WebKit/NetworkProcess/NetworkResourceLoader.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.cpp: Updated for new CSPViolationReportBody and Report types.
* Source/WebKit/Shared/WebCoreArgumentCoders.h
* Source/WebKit/WebProcess/WebPage.cpp:
(WebKit::WebPage::notifyReportObservers): Added to implement ReportClient interface.
* Source/WebKit/WebProcess/WebPage.h:
* Source/WebKit/WebProcess/WebPage.messages.in: Added new 'NotifyReportObservers' IPC message.
* Tools/DumpRenderTree/mac/ResourceLoadDelegate.mm:
(webView:resource:willSendRequest:redirectResponse:fromDataSource:): Filter unique report ID's in logging
to avoid test failures.
* Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
(WTR::InjectedBundlePage::willSendRequestForFrame):  Filter unique report ID's in logging to avoid test failures.

Canonical link: https://commits.webkit.org/253966@main
  • Loading branch information
youennf authored and Brent Fulgham committed Aug 31, 2022
1 parent 3125741 commit 42f5a93823a7f087a800cd65c6bc0551dbeb55d3
Show file tree
Hide file tree
Showing 125 changed files with 1,728 additions and 521 deletions.

Large diffs are not rendered by default.

@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.


--------
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
PASS did not execute script.


@@ -1,3 +1,3 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
PASS did not execute script.
@@ -1,3 +1,3 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
PASS did execute script.
@@ -1,3 +1,3 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'sha256-AJqUvsXuHfMNXALcBPVqeiKkFk8OLvn3U7ksHP/QQ90=' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
PASS did execute script.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.


--------
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
PASS did not execute script.


@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
PASS did not execute script.
@@ -1,2 +1,2 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
PASS did execute script.
@@ -1,2 +1,2 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
PASS did execute script.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'object-src 'none'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.


--------
@@ -1,6 +1,6 @@
frame "<!--frame1-->" - didStartProvisionalLoadForFrame
main frame - didFinishDocumentLoadForFrame
CONSOLE MESSAGE: The Content Security Policy 'block-all-mixed-content' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
frame "<!--frame1-->" - didStartProvisionalLoadForFrame
CONSOLE MESSAGE: The Content Security Policy 'block-all-mixed-content' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
frame "<!--frame1-->" - didCommitLoadForFrame
CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'self'' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
ALERT: PASS: eval() executed as expected.

@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.py because it does not appear in the connect-src directive of the Content Security Policy.
Pass

@@ -1,4 +1,4 @@
CONSOLE MESSAGE: The Content Security Policy 'connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: [Report Only] Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
PASS XMLHttpRequest.send() did follow the redirect.
PASS successfullyParsed is true
@@ -1,2 +1,2 @@
CONSOLE MESSAGE: The Content Security Policy 'script-src 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'script-src 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
This test passes if a console message is present, warning about the missing 'report-uri' directive.
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: The Content Security Policy directive 'sandbox' is ignored when delivered in a report-only policy.
CONSOLE MESSAGE: The Content Security Policy 'sandbox' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: The Content Security Policy 'sandbox' was delivered in report-only mode, but does not specify a 'report-to'; the policy will have no effect. Please either add a 'report-to' directive, or deliver the policy via the 'Content-Security-Policy' header.
CONSOLE MESSAGE: Script executed in iframe.
ALERT: PASS: Iframe was not in a unique origin

This file was deleted.

@@ -1,3 +1,5 @@
CONSOLE MESSAGE: Refused to load http://www1.localhost:8800/content-security-policy/frame-src/support/frame.html#0 because it does not appear in the frame-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load http://www1.localhost:8800/content-security-policy/frame-src/support/frame.html#1 because it does not appear in the frame-src directive of the Content Security Policy.


PASS Same-document navigation in an iframe blocked by CSP frame-src

0 comments on commit 42f5a93

Please sign in to comment.