Google Git
Sign in
webkit / WebKit / 6501da5d9efd585f38613665c05cd2c5dda52074 / . / LayoutTests / platform / wk2 / http / tests / security / contentSecurityPolicy / block-all-mixed-content / insecure-css-in-iframe-report-only-expected.txt
blob: caf660f6ef3dc87b0f970276463aa139b63dd5b7 [file] [log] [blame]
main frame - didFinishDocumentLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
CONSOLE MESSAGE: line 9: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
frame "<!--framePath //<!--frame0-->-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
main frame - didHandleOnloadEventsForFrame
frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
main frame - didFinishLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didCancelClientRedirectForFrame
frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block even though the child frame has a report only CSP block-all-mixed-content directive because an active network attacker can use CSS3 to breach the confidentiality of the HTTPS security origin.
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
CSP report received:
CONTENT_TYPE: application/csp-report
HTTP_HOST: 127.0.0.1:8443
HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
=== POST DATA ===
{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","blocked-uri":"http://127.0.0.1:8000","status-code":0}}