CSP: Measure whether we can treat '<meta http-refresh>' as inline script.

CSP: Measure whether we can treat '<meta http-refresh>' as inline script.

https://github.com/w3c/webappsec-csp/issues/112 notes that '<meta>' has
some script-like capabilities that aren't currently covered by CSP. This
patch adds metrics for usage of 'Set-Cookie' and 'Refresh' in documents
that block inline script. If it turns out that the intersection is low,
perhaps we can make this backwards-incompatible change.

R=jochen@chromium.org

Committed: https://crrev.com/d171843d5e59aea28a3d3845422b94a39c221143
Cr-Commit-Position: refs/heads/master@{#416261}

[Mike West, 2016-09-02 09:55:29]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-09-02 09:55:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2016-09-02 09:56:12]

WDYT, Jochen? No actual change, just metrics.

[Mike West, 2016-09-02 09:56:44]

On 2016/09/02 at 09:56:12, Mike West (OOO until 29th) wrote:
> WDYT, Jochen? No actual change, just metrics.

(I'll update histograms.xml once the other metrics patch lands and I have to
renumber this one. :P )

[jochen (gone - plz use gerrit), 2016-09-02 09:59:23]

lgtm

[commit-bot: I haz the power, 2016-09-02 10:01:22]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-09-02 10:01:23]

Dry run: Try jobs failed on following builders:
  chromium_presubmit on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)

[Mike West, 2016-09-02 11:36:58]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2016-09-02 11:36:59]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2308513002/#ps40001
(title: "Rebase+Histogram")

[commit-bot: I haz the power, 2016-09-02 11:37:10]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-09-02 14:09:40]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-09-02 14:12:57]

Description was changed from

==========
CSP: Measure whether we can treat '<meta http-refresh>' as inline script.

https://github.com/w3c/webappsec-csp/issues/112 notes that '<meta>' has
some script-like capabilities that aren't currently covered by CSP. This
patch adds metrics for usage of 'Set-Cookie' and 'Refresh' in documents
that block inline script. If it turns out that the intersection is low,
perhaps we can make this backwards-incompatible change.

R=jochen@chromium.org
==========

to

==========
CSP: Measure whether we can treat '<meta http-refresh>' as inline script.

https://github.com/w3c/webappsec-csp/issues/112 notes that '<meta>' has
some script-like capabilities that aren't currently covered by CSP. This
patch adds metrics for usage of 'Set-Cookie' and 'Refresh' in documents
that block inline script. If it turns out that the intersection is low,
perhaps we can make this backwards-incompatible change.

R=jochen@chromium.org

Committed: https://crrev.com/d171843d5e59aea28a3d3845422b94a39c221143
Cr-Commit-Position: refs/heads/master@{#416261}
==========

[commit-bot: I haz the power, 2016-09-02 14:12:58]

Patchset 3 (id:??) landed as
https://crrev.com/d171843d5e59aea28a3d3845422b94a39c221143
Cr-Commit-Position: refs/heads/master@{#416261}