CSP: Strip the fragment from reported URLs.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 1029 matching lines @@
     const String& header,
     RedirectStatus redirectStatus,
     ContentSecurityPolicyHeaderType headerType,
     ContentSecurityPolicy::ViolationType violationType,
     int contextLine,
     const String& scriptSource) {
   if (effectiveType == ContentSecurityPolicy::DirectiveType::FrameAncestors) {
     // If this load was blocked via 'frame-ancestors', then the URL of
     // |document| has not yet been initialized. In this case, we'll set both
     // 'documentURI' and 'blockedURI' to the blocked document's URL.
-    init.setDocumentURI(blockedURL.getString());
-    init.setBlockedURI(blockedURL.getString());
+    String strippedURL = stripURLForUseInReport(
+        context, blockedURL, RedirectStatus::NoRedirect,
+        ContentSecurityPolicy::DirectiveType::DefaultSrc);
+    init.setDocumentURI(strippedURL);
+    init.setBlockedURI(strippedURL);
   } else {
-    init.setDocumentURI(context->url().getString());
+    String strippedURL = stripURLForUseInReport(
+        context, context->url(), RedirectStatus::NoRedirect,
+        ContentSecurityPolicy::DirectiveType::DefaultSrc);
+    init.setDocumentURI(strippedURL);
     switch (violationType) {
       case ContentSecurityPolicy::InlineViolation:
         init.setBlockedURI("inline");
         break;
       case ContentSecurityPolicy::EvalViolation:
         init.setBlockedURI("eval");
         break;
       case ContentSecurityPolicy::URLViolation:
         init.setBlockedURI(stripURLForUseInReport(
             context, blockedURL, redirectStatus, effectiveType));
@@ skipping 112 matching lines @@
 
   // We need to be careful here when deciding what information to send to the
   // report-uri. Currently, we send only the current document's URL and the
   // directive that was violated. The document's URL is safe to send because
   // it's the document itself that's requesting that it be sent. You could
   // make an argument that we shouldn't send HTTPS document URLs to HTTP
   // report-uris (for the same reasons that we supress the Referer in that
   // case), but the Referer is sent implicitly whereas this request is only
   // sent explicitly. As for which directive was violated, that's pretty
   // harmless information.
+  //
+  // TODO(mkwst): This justification is BS. Insecure reports are mixed content,
+  // let's kill them. https://crbug.com/695363
 
   std::unique_ptr<JSONObject> cspReport = JSONObject::create();
   cspReport->setString("document-uri", violationData.documentURI());
   cspReport->setString("referrer", violationData.referrer());
   cspReport->setString("violated-directive", violationData.violatedDirective());
   cspReport->setString("effective-directive",
                        violationData.effectiveDirective());
   cspReport->setString("original-policy", violationData.originalPolicy());
   cspReport->setString("disposition", violationData.disposition());
   cspReport->setString("blocked-uri", violationData.blockedURI());
@@ skipping 439 matching lines @@
   if (SecurityOrigin::shouldUseInnerURL(url)) {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         SecurityOrigin::extractInnerURL(url).protocol(), area);
   } else {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         url.protocol(), area);
   }
 }
 
 }  // namespace blink