CSP violation reports should report the pre-redirect URL.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 762 matching lines @@
         return;
     m_treatAsPublicAddress = true;
 }
 
 void ContentSecurityPolicy::setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy policy)
 {
     if (policy > m_insecureRequestsPolicy)
         m_insecureRequestsPolicy = policy;
 }
 
-static String stripURLForUseInReport(Document* document, const KURL& url)
+static String stripURLForUseInReport(Document* document, const KURL& url, RedirectStatus redirectStatus)
 {
     if (!url.isValid())
         return String();
     if (!url.isHierarchical() || url.protocolIs("file"))
         return url.protocol();
-    return document->getSecurityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
+    if (redirectStatus == RedirectStatus::NoRedirect || document->getSecurityOrigin()->canRequest(url)) {
+        // 'KURL::strippedForUseAsReferrer()' dumps 'String()' for non-webby URLs.
+        // It's better for developers if we return the origin of those URLs rather
+        // than nothing.
+        if (url.protocolIsInHTTPFamily())
+            return url.strippedForUseAsReferrer();
+    }
+    return SecurityOrigin::create(url)->toString();
 }
 
-static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
+static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header, RedirectStatus redirectStatus)
 {
     if (equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::FrameAncestors)) {
         // If this load was blocked via 'frame-ancestors', then the URL of |document| has not yet
         // been initialized. In this case, we'll set both 'documentURI' and 'blockedURI' to the
         // blocked document's URL.
         init.setDocumentURI(blockedURL.getString());
         init.setBlockedURI(blockedURL.getString());
     } else {
         init.setDocumentURI(document->url().getString());
-        init.setBlockedURI(stripURLForUseInReport(document, blockedURL));
+        init.setBlockedURI(stripURLForUseInReport(document, blockedURL, redirectStatus));
     }
     init.setReferrer(document->referrer());
     init.setViolatedDirective(directiveText);
     init.setEffectiveDirective(effectiveDirective);
     init.setOriginalPolicy(header);
     init.setSourceFile(String());
     init.setLineNumber(0);
     init.setColumnNumber(0);
     init.setStatusCode(0);
 
     if (!SecurityOrigin::isSecure(document->url()) && document->loader())
         init.setStatusCode(document->loader()->response().httpStatusCode());
 
     OwnPtr<SourceLocation> location = SourceLocation::capture(document);
     if (location->lineNumber()) {
         KURL source = KURL(ParsedURLString, location->url());
-        init.setSourceFile(stripURLForUseInReport(document, source));
+        init.setSourceFile(stripURLForUseInReport(document, source, redirectStatus));
         init.setLineNumber(location->lineNumber());
         init.setColumnNumber(location->columnNumber());
     }
 }
 
-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header, ViolationType violationType, LocalFrame* contextFrame)
+void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header, ViolationType violationType, LocalFrame* contextFrame, RedirectStatus redirectStatus)
 {
     ASSERT(violationType == URLViolation || blockedURL.isEmpty());
 
     // TODO(lukasza): Support sending reports from OOPIFs - https://crbug.com/611232
     // (or move CSP child-src and frame-src checks to the browser process - see
     // https://crbug.com/376522).
     if (!m_executionContext && !contextFrame) {
         DCHECK(equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::ChildSrc)
             || equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::FrameSrc));
         return;
     }
 
     ASSERT((m_executionContext && !contextFrame) || (equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::FrameAncestors) && contextFrame));
 
     // FIXME: Support sending reports from worker.
     Document* document = contextFrame ? contextFrame->document() : this->document();
     if (!document)
         return;
 
     LocalFrame* frame = document->frame();
     if (!frame)
         return;
 
     SecurityPolicyViolationEventInit violationData;
-    gatherSecurityPolicyViolationEventData(violationData, document, directiveText, effectiveDirective, blockedURL, header);
+    gatherSecurityPolicyViolationEventData(violationData, document, directiveText, effectiveDirective, blockedURL, header, redirectStatus);
 
     frame->localDOMWindow()->enqueueDocumentEvent(SecurityPolicyViolationEvent::create(EventTypeNames::securitypolicyviolation, violationData));
 
     if (reportEndpoints.isEmpty())
         return;
 
     // TODO(mkwst): Obviously, we shouldn't hit this check, as extension-loaded
     // resources should be allowed regardless. We apparently do, however, so
     // we should at least stop spamming reporting endpoints. See
     // https://crbug.com/524356 for detail.
@@ skipping 49 matching lines @@
         // its URL with the blocked document's URL.
         ASSERT(!contextFrame || !m_executionContext);
         ASSERT(!contextFrame || equalIgnoringCase(effectiveDirective, FrameAncestors));
         KURL url = contextFrame ? frame->document()->completeURLWithOverride(endpoint, blockedURL) : completeURL(endpoint);
         PingLoader::sendViolationReport(frame, url, report, PingLoader::ContentSecurityPolicyViolationReport);
     }
 
     didSendViolationReport(stringifiedReport);
 }
 
-void ContentSecurityPolicy::reportMixedContent(const KURL& mixedURL)
+void ContentSecurityPolicy::reportMixedContent(const KURL& mixedURL, RedirectStatus redirectStatus)
 {
     for (const auto& policy : m_policies)
-        policy->reportMixedContent(mixedURL);
+        policy->reportMixedContent(mixedURL, redirectStatus);
 }
 
 void ContentSecurityPolicy::reportInvalidReferrer(const String& invalidValue)
 {
     logToConsole("The 'referrer' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"no-referrer\", \"no-referrer-when-downgrade\", \"origin\", \"origin-when-cross-origin\", and \"unsafe-url\".");
 }
 
 void ContentSecurityPolicy::reportReportOnlyInMeta(const String& header)
 {
     logToConsole("The report-only Content Security Policy '" + header + "' was delivered via a <meta> element, which is disallowed. The policy has been ignored.");
@@ skipping 178 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink