commit bd0c7751aa61021dc735572521b62efa4ea39bfc
author abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat May 07 02:13:06 2011 +0000
committer abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat May 07 02:13:06 2011 +0000
tree 4541355cbe92a67075f925a92f9e9543d6482e4f
parent 588a3d4855ae191acea504a1744c4e593a9cffc3

2011-05-06  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement "Report-Only" mode for CSP
        https://bugs.webkit.org/show_bug.cgi?id=60402

        * http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/report-only.html: Added.
2011-05-06  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement "Report-Only" mode for CSP
        https://bugs.webkit.org/show_bug.cgi?id=60402

        This mode lets web sites try out CSP by getting violation reports (and
        console spam) without actually changing the behavior of their web sites.

        Test: http/tests/security/contentSecurityPolicy/report-only.html

        * dom/Document.cpp:
        (WebCore::Document::processHttpEquiv):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::didBeginDocument):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
        (WebCore::ContentSecurityPolicy::didReceiveHeader):
        (WebCore::ContentSecurityPolicy::reportViolation):
        (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation):
        (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation):
        (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation):
        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
        * page/ContentSecurityPolicy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@85993 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/loader/FrameLoader.cpp

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 75daae5..ead8a5d 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -719,7 +719,11 @@
 
         String contentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
         if (!contentSecurityPolicy.isEmpty())
-            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy);
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy);
+
+        String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
+        if (!contentSecurityPolicy.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly);
     }
 
     history()->restoreDocumentState();