New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 8
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Task

Blocked on:
issue 676016



Sign in to add a comment

CSP: `report-to` directive.

Project Member Reported by mkwst@chromium.org, May 26 2017 Back to list

Issue description

The `report-to` directive wires CSP violation reports up to the Reporting API (https://wicg.github.io/reporting/), and deprecates the existing `report-uri` directive.
 
Labels: -OS-Fuchsia
Project Member

Comment 2 by bugdroid1@chromium.org, Jul 10 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fae14c9c5320d1e0b0672cf67c98bbdcf92318af

commit fae14c9c5320d1e0b0672cf67c98bbdcf92318af
Author: Andy Paicu <andypaicu@chromium.org>
Date: Mon Jul 10 12:38:34 2017

Add use counter that tracks whether multiple report endpoints are used

In order to help make a decision if the new reporting api should support
multiple endpoints, I've added an use counter to see how frequently the
current report-uri directive is used with multiple reporting endpoints
Spec: https://wicg.github.io/reporting/

Bug:  726634 
Change-Id: I47353b559a2f57a022b2a5300ea5e2cdb88e0677
Reviewed-on: https://chromium-review.googlesource.com/563378
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485243}
[modify] https://crrev.com/fae14c9c5320d1e0b0672cf67c98bbdcf92318af/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/fae14c9c5320d1e0b0672cf67c98bbdcf92318af/third_party/WebKit/public/platform/web_feature.mojom
[modify] https://crrev.com/fae14c9c5320d1e0b0672cf67c98bbdcf92318af/tools/metrics/histograms/enums.xml

Project Member

Comment 3 by bugdroid1@chromium.org, Aug 1 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9aad7f8d6f6b48250730367506518c2941d6773d

commit 9aad7f8d6f6b48250730367506518c2941d6773d
Author: Andy Paicu <andypaicu@chromium.org>
Date: Tue Aug 01 13:54:26 2017

Allowed parsing reporting endpoints through the `report-to` directive

This patch adds functionality to parse the `report-to` csp directive
It does not actually do any reporting
It does not update the content layer csp version
Spec: https://wicg.github.io/reporting/

Bug:  726634 
Change-Id: I31546a56a18504684fc292ce76973ae6fab50fec
Reviewed-on: https://chromium-review.googlesource.com/563210
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#490978}
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/9aad7f8d6f6b48250730367506518c2941d6773d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Cc: mkwst@chromium.org
Status: Started

Comment 5 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 27

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/acb9f5c81a34715a0ae420d9d67449092ca965ad

commit acb9f5c81a34715a0ae420d9d67449092ca965ad
Author: Andy Paicu <andypaicu@chromium.org>
Date: Fri Oct 27 06:49:40 2017

Implemented the report-to functionality for webkit-residing csp

The reporting api can now be used to send csp reports
Did not yet implement the content csp version of this change.
spec: https://wicg.github.io/reporting/

Bug:  726634 
Change-Id: Icd5cc5699d31d0300e2bcfc6f72b636e855679ea
Reviewed-on: https://chromium-review.googlesource.com/629083
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512107}
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/content/browser/net/reporting_service_proxy.cc
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/content/public/app/mojo/content_browser_manifest.json
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/content/shell/browser/shell_url_request_context_getter.cc
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/VirtualTestSuites
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-doesnt-send-reports-without-violation.https.sub.html
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-doesnt-send-reports-without-violation.https.sub.html.sub.headers
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-only-sends-reports-on-violation.https.sub.html.sub.headers
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-1.https.sub.html.sub.headers
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-report-to-overrides-report-uri-2.https.sub.html.sub.headers
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/reporting-api-sends-reports-on-violation.https.sub.html.sub.headers
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting/securitypolicyviolation-idl.html
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/checkReport.sub.js
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/LayoutTests/virtual/reporting/external/wpt/content-security-policy/reporting/README.txt
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[add] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/Source/platform/weborigin/ReportingServiceProxyPtrHolder.h
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/Tools/Scripts/webkitpy/layout_tests/port/base.py
[modify] https://crrev.com/acb9f5c81a34715a0ae420d9d67449092ca965ad/third_party/WebKit/public/platform/reporting.mojom

Labels: Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 8 by bugdroid1@chromium.org, Jan 30

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d24ee10c883627002d6c5d8067cf51f02803083f

commit d24ee10c883627002d6c5d8067cf51f02803083f
Author: Andy Paicu <andypaicu@chromium.org>
Date: Tue Jan 30 11:49:16 2018

Hooked in the reporting api changes into content layer CSP

The work for reporting has already been done, this only pipes into the
content layer CSP the relevant info and then pipes it back down to
webkit CSP when reports need to be submitted.

Reporting spec: https://wicg.github.io/reporting/

Related: https://chromium-review.googlesource.com/c/chromium/src/+/629083

Bug:  726634 
Change-Id: I5d598840e3170fc91de4f9169b66774cbe407ede
Reviewed-on: https://chromium-review.googlesource.com/788855
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532840}
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/content_security_policy.cc
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/content_security_policy.h
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/content_security_policy_unittest.cc
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/csp_context.cc
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/csp_context.h
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/content_security_policy/csp_context_unittest.cc
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/common/frame_messages.h
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/content/renderer/content_security_policy_util.cc
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
[add] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html
[add] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html.sub.headers
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/LayoutTests/virtual/reporting-api/external/wpt/content-security-policy/reporting-api/README.txt
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/d24ee10c883627002d6c5d8067cf51f02803083f/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h

Labels: -Hotlist-EnamelAndFriendsFixIt
Status: Fixed
andypaicu@, when will it gets on by default in canary?
juliatuttle@ would probably know better, the feature depends on the reporting-api being turned on by default.
From what I hear they are targeting Chrome 67 with the reporting-api but it's not guaranteed to land in 67.
Thanks andypaicu@! I will track issue 676016 then!
andypaicu@ chromiumdash is telling me your commits are merged in 66. https://chromiumdash.appspot.com/commit/d24ee10c883627002d6c5d8067cf51f02803083f

Is there some other commit that only makes it available in 67?
jmedley@
While the CSP work is indeed in, it all relies on the Reporting Api.
Here is the Reporting Api launch tracking bug: https://crbug.com/676016

Sign in to add a comment