New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug



Sign in to add a comment

Implement first-party reporting for Feature Policy violations

Project Member Reported by iclell...@chromium.org, Jul 25

Issue description

Feature policy violations should produce reports, sent through the Reporting API, and visible to Reporting Observers.

The exact semantics of what a 'violation' is will be up to individual features, so this may end up as an umbrella bug for all of those as well.

Initially, we want first-party reporting only -- that is, reports for violations within a given frame are sent only to the endpoints specified by *that* frame's Report-to header. Parent frames, either same- or cross-origin, do not receive reports generated by their children.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cda7f21bda0423d75ce2974c06dc016b22c42b37

commit cda7f21bda0423d75ce2974c06dc016b22c42b37
Author: Ian Clelland <iclelland@chromium.org>
Date: Mon Aug 13 14:04:36 2018

Start a first-party reporting mechanism for feature policy

This just implements the infrastructure required for generating and
sending reports with the Reporting API, and making them visible to
ReportingObservers. Adding violation reporting to individual features
will be handled in follow-up CLs.

Bug: 867471
Change-Id: Iabfaebe00ae5a768d1b952a90aac1712aec5e158
Reviewed-on: https://chromium-review.googlesource.com/924475
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582571}
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/content/browser/net/reporting_service_proxy.cc
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/public/platform/reporting.mojom
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/core_idl_files.gni
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/BUILD.gn
[add] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/feature_policy_violation_report_body.h
[add] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/feature_policy_violation_report_body.idl
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/frame.cc
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/frame.h
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/local_frame.cc
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/core/frame/local_frame.h
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/platform/feature_policy/feature_policy.cc
[modify] https://crrev.com/cda7f21bda0423d75ce2974c06dc016b22c42b37/third_party/blink/renderer/platform/feature_policy/feature_policy.h

Project Member

Comment 3 by bugdroid1@chromium.org, Aug 28

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d597b51dbc3db3e2b0412e15bae7ebfdf0bfd014

commit d597b51dbc3db3e2b0412e15bae7ebfdf0bfd014
Author: Ian Clelland <iclelland@chromium.org>
Date: Tue Aug 28 17:22:32 2018

Enable FP reporting for WebUSB violations.

This queues a report through the Reporting API whenever the WebUSB API
is invoked from a frame in which the 'usb' feature is not allowed
according to feature policy.

Bug: 867471
Change-Id: Ib1b3c70f3d22c0446b8f8cc1dba7d6df3c44d763
Reviewed-on: https://chromium-review.googlesource.com/1191669
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586762}
[add] https://crrev.com/d597b51dbc3db3e2b0412e15bae7ebfdf0bfd014/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/usb-reporting.https.html
[add] https://crrev.com/d597b51dbc3db3e2b0412e15bae7ebfdf0bfd014/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/usb-reporting.https.html.headers
[modify] https://crrev.com/d597b51dbc3db3e2b0412e15bae7ebfdf0bfd014/third_party/blink/renderer/modules/webusb/usb.cc

Project Member

Comment 4 by bugdroid1@chromium.org, Aug 28

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd0a5631758fece9525927a3680f3840030711ba

commit cd0a5631758fece9525927a3680f3840030711ba
Author: Ian Clelland <iclelland@chromium.org>
Date: Tue Aug 28 17:28:11 2018

Enable FP reporting for geolocation violations.

This queues a report through the Reporting API whenever
getCurrentPosition is called from a frame in which geolocation is not
allowed according to feature policy.

Bug: 867471
Change-Id: Ib8d6bc794e5cdda07add3246580d858edc10a38d
Reviewed-on: https://chromium-review.googlesource.com/1191407
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Miguel Casas <mcasas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586766}
[add] https://crrev.com/cd0a5631758fece9525927a3680f3840030711ba/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/geolocation-reporting.https.html
[add] https://crrev.com/cd0a5631758fece9525927a3680f3840030711ba/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/geolocation-reporting.https.html.headers
[modify] https://crrev.com/cd0a5631758fece9525927a3680f3840030711ba/third_party/blink/renderer/modules/geolocation/geolocation.cc

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/acbf60e2d8698a6b36f8505845a8a180434f3392

commit acbf60e2d8698a6b36f8505845a8a180434f3392
Author: Ian Clelland <iclelland@chromium.org>
Date: Wed Aug 29 03:23:26 2018

Enable FP reporting for document-write violations.

This queues a report through the Reporting API whenever the dynamic
markup insertion methods (document.open, close, write, writeln) are
called from a frame in which document-write is not allowed according to
feature policy.

Bug: 867471
Change-Id: I08bc1c8e96f45a7c8c544df2f9a718880680dc01
Reviewed-on: https://chromium-review.googlesource.com/1191533
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587003}
[add] https://crrev.com/acbf60e2d8698a6b36f8505845a8a180434f3392/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/document-write-reporting.html
[add] https://crrev.com/acbf60e2d8698a6b36f8505845a8a180434f3392/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/document-write-reporting.html.headers
[modify] https://crrev.com/acbf60e2d8698a6b36f8505845a8a180434f3392/third_party/blink/renderer/core/dom/document.cc

Project Member

Comment 6 by bugdroid1@chromium.org, Aug 29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d1cff6f162c9a168bc8619cbb39ad6d7503dca1a

commit d1cff6f162c9a168bc8619cbb39ad6d7503dca1a
Author: Ian Clelland <iclelland@chromium.org>
Date: Wed Aug 29 14:40:22 2018

Enable FP reporting for fullscreen violations.

This queues a report through the Reporting API whenever
[webkit]RequestFullscreen is called from a frame in which fullscreen is
not allowed according to feature policy. Checking
[webkit]fullscreenAllowed does not trigger reports.

Bug: 867471
Change-Id: I4e7077aea66246d712e549b79b6154c1a596d74c
Reviewed-on: https://chromium-review.googlesource.com/1191482
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Philip J├Ągenstedt <foolip@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587109}
[add] https://crrev.com/d1cff6f162c9a168bc8619cbb39ad6d7503dca1a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/fullscreen-reporting.html
[add] https://crrev.com/d1cff6f162c9a168bc8619cbb39ad6d7503dca1a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/fullscreen-reporting.html.headers
[modify] https://crrev.com/d1cff6f162c9a168bc8619cbb39ad6d7503dca1a/third_party/blink/renderer/core/fullscreen/fullscreen.cc

Project Member

Comment 7 by bugdroid1@chromium.org, Aug 29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a

commit 4f8afc6d34dcecb1f620eae147fae9d2c8d4200a
Author: Ian Clelland <iclelland@chromium.org>
Date: Wed Aug 29 15:31:30 2018

Enable FP reporting for camera and microphone violations.

This queues a report through the Reporting API whenever camera or
microphone access are requested through getUserMedia, in a frame in
which either the 'camera' or 'microphone' features are not allowed
according to feature policy.

Bug: 867471
Change-Id: Id54caf385f710f02b94010e642c7eb395e6a831f
Reviewed-on: https://chromium-review.googlesource.com/1191417
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587127}
[add] https://crrev.com/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/camera-reporting.https.html
[add] https://crrev.com/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/camera-reporting.https.html.headers
[add] https://crrev.com/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/microphone-reporting.https.html
[add] https://crrev.com/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/microphone-reporting.https.html.headers
[modify] https://crrev.com/4f8afc6d34dcecb1f620eae147fae9d2c8d4200a/third_party/blink/renderer/modules/mediastream/user_media_request.cc

Project Member

Comment 8 by bugdroid1@chromium.org, Aug 29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d4bba36acc4d44a7609c590114663ef302a390d

commit 4d4bba36acc4d44a7609c590114663ef302a390d
Author: Ian Clelland <iclelland@chromium.org>
Date: Wed Aug 29 18:58:37 2018

Enable FP reporting for payment violations.

This queues a report through the Reporing API whenever the
PaymentRequest API is invoked from a frame in which the 'payment'
feature is not allowed according to feature policy.

Bug: 867471
Change-Id: Ie03fe06924a634829d03fb9d9693aee29ab66dd2
Reviewed-on: https://chromium-review.googlesource.com/1191411
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587223}
[add] https://crrev.com/4d4bba36acc4d44a7609c590114663ef302a390d/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/payment-reporting.https.html
[add] https://crrev.com/4d4bba36acc4d44a7609c590114663ef302a390d/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/payment-reporting.https.html.headers
[modify] https://crrev.com/4d4bba36acc4d44a7609c590114663ef302a390d/third_party/blink/renderer/modules/payments/payment_request.cc

Project Member

Comment 9 by bugdroid1@chromium.org, Aug 29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f02655a36496713a7fd4af25ea8e87ac7764ec48

commit f02655a36496713a7fd4af25ea8e87ac7764ec48
Author: Ian Clelland <iclelland@chromium.org>
Date: Wed Aug 29 19:21:46 2018

Enable FP reporting for unsized-media policy violations.

This queues a report through the Reporting API whenever an image is
encountered which violates the 'unsized-media' policy, in a document in
which that feature is not allowed according to feature policy.

Bug: 867471
Change-Id: I8d39639d21d9a993685f97efc078a9a1ab6f303c
Reviewed-on: https://chromium-review.googlesource.com/1195675
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587236}
[add] https://crrev.com/f02655a36496713a7fd4af25ea8e87ac7764ec48/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/image.jpg
[add] https://crrev.com/f02655a36496713a7fd4af25ea8e87ac7764ec48/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/unsized-media-reporting.html
[add] https://crrev.com/f02655a36496713a7fd4af25ea8e87ac7764ec48/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/unsized-media-reporting.html.headers
[modify] https://crrev.com/f02655a36496713a7fd4af25ea8e87ac7764ec48/third_party/blink/renderer/core/css/resolver/style_adjuster.cc

Project Member

Comment 10 by bugdroid1@chromium.org, Aug 30

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fbdee9fdd5d8d29d6131cb559d2391629b48fe52

commit fbdee9fdd5d8d29d6131cb559d2391629b48fe52
Author: Ian Clelland <iclelland@chromium.org>
Date: Thu Aug 30 15:12:23 2018

Enable FP reporting for sync-xhr violations.

This queues a report through the Reporting API whenever send() is called
on a synchronous XMLHttpRequest object from a frame in which sync-xhr is
not allowed according to feature policy.

Bug: 867471
Change-Id: If778ea5517fb5728992fe8287b278d1af729902f
Reviewed-on: https://chromium-review.googlesource.com/1191404
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587583}
[add] https://crrev.com/fbdee9fdd5d8d29d6131cb559d2391629b48fe52/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/sync-xhr-reporting.html
[add] https://crrev.com/fbdee9fdd5d8d29d6131cb559d2391629b48fe52/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/sync-xhr-reporting.html.headers
[modify] https://crrev.com/fbdee9fdd5d8d29d6131cb559d2391629b48fe52/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc

Project Member

Comment 11 by bugdroid1@chromium.org, Aug 30

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6678ff7b91115ee6f6008f9cacabe337a6f34ec1

commit 6678ff7b91115ee6f6008f9cacabe337a6f34ec1
Author: Ian Clelland <iclelland@chromium.org>
Date: Thu Aug 30 16:30:21 2018

Enable FP reporting for WebMIDI policy violations.

This queues a report through the Reporting API whenever
navigator.requestMIDIAccess is invoked from a frame in which the 'midi`'
feature is not allowed according to feature policy.

Bug: 867471
Change-Id: Ib7966a3721067fcf7a325d75377178caaa4b327a
Reviewed-on: https://chromium-review.googlesource.com/1195703
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587617}
[add] https://crrev.com/6678ff7b91115ee6f6008f9cacabe337a6f34ec1/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/midi-reporting.html
[add] https://crrev.com/6678ff7b91115ee6f6008f9cacabe337a6f34ec1/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/midi-reporting.html.headers
[modify] https://crrev.com/6678ff7b91115ee6f6008f9cacabe337a6f34ec1/third_party/blink/renderer/modules/webmidi/navigator_web_midi.cc

Project Member

Comment 12 by bugdroid1@chromium.org, Sep 11

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c12c50e95c0b799be25c893c14105803ee4b61e7

commit c12c50e95c0b799be25c893c14105803ee4b61e7
Author: Ian Clelland <iclelland@chromium.org>
Date: Tue Sep 11 20:44:12 2018

Enable FP reporting for VR/XR policy violations.

This queues a report through the Reporting API whenever VR or XR device
access are requested in a frame in which the 'vr' feature is not allowed
according to feature policy.

Bug: 867471
Cq-Include-Trybots: luci.chromium.try:win_optional_gpu_tests_rel
Change-Id: I5e0256c799f986e30b1f3746ef0fce1b6d9f93eb
Reviewed-on: https://chromium-review.googlesource.com/1195438
Reviewed-by: Brandon Jones <bajones@chromium.org>
Commit-Queue: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590451}
[add] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/vr-reporting.https.html
[add] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/vr-reporting.https.html.headers
[add] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/xr-reporting.https.html
[add] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/WebKit/LayoutTests/external/wpt/feature-policy/reporting/xr-reporting.https.html.headers
[modify] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/blink/renderer/modules/vr/navigator_vr.cc
[modify] https://crrev.com/c12c50e95c0b799be25c893c14105803ee4b61e7/third_party/blink/renderer/modules/xr/xr.cc

Sign in to add a comment