[CSP] Remove an outdated warning for `report-uri`.

We previously required `CSPRO` headers to contain `report-uri`. Since we added a DOM interface (`SecurityPolicyViolation` events and Reporting API integration), that requirement is no longer applied. We still surface a warning, but that's more verbose than it needs to be, given that the use case it warns about is completely legitimate. Bug: 1070533 Change-Id: Ica89fa0c8d53d563c6510426e2f6f11d2e7400c3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2145881 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#758851}

[CSP] Remove an outdated warning for `report-uri`.
We previously required `CSPRO` headers to contain `report-uri`. Since we added a DOM interface (`SecurityPolicyViolation` events and Reporting API integration), that requirement is no longer applied. We still surface a warning, but that's more verbose than it needs to be, given that the use case it warns about is completely legitimate. Bug: 1070533 Change-Id: Ica89fa0c8d53d563c6510426e2f6f11d2e7400c3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2145881 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#758851}
f7e8f449 · Mike West · Commit Bot · 12aea3e7 · f7e8f449 · f7e8f449
Commit f7e8f449 authored Apr 14, 2020 by Mike West Committed by Commit Bot Apr 14, 2020
6 changed files
--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.cc
@@ -1399,14 +1399,6 @@ void ContentSecurityPolicy::ReportInvalidSourceExpression(
  LogToConsole(message);
 }
-void ContentSecurityPolicy::ReportMissingReportURI(const String& policy) {
-  LogToConsole("The Content Security Policy '" + policy +
-               "' was delivered in report-only mode, but does not specify a "
-               "'report-uri'; the policy will have no effect. Please either "
-               "add a 'report-uri' directive, or deliver the policy via the "
-               "'Content-Security-Policy' header.");
-}
 void ContentSecurityPolicy::LogToConsole(const String& message,
                                         mojom::ConsoleMessageLevel level) {
  LogToConsole(MakeGarbageCollected<ConsoleMessage>(

--- a/third_party/blink/renderer/core/frame/csp/content_security_policy.h
+++ b/third_party/blink/renderer/core/frame/csp/content_security_policy.h
@@ -382,7 +382,6 @@ class CORE_EXPORT ContentSecurityPolicy final
  void ReportInvalidSandboxFlags(const String&);
  void ReportInvalidSourceExpression(const String& directive_name,
                                     const String& source);
-  void ReportMissingReportURI(const String&);
  void ReportUnsupportedDirective(const String&);
  void ReportInvalidInReportOnly(const String&);
  void ReportInvalidDirectiveInMeta(const String& directive_name);

--- a/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
+++ b/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc
@@ -171,13 +171,6 @@ CSPDirectiveList* CSPDirectiveList::Create(ContentSecurityPolicy* policy,
    directives->SetEvalDisabledErrorMessage(message);
  }
-  if (directives->IsReportOnly() &&
-      source != ContentSecurityPolicySource::kMeta &&
-      directives->ReportEndpoints().IsEmpty()) {
-    policy->ReportMissingReportURI(
-        String(begin, static_cast<wtf_size_t>(end - begin)));
-  }
  return directives;
 }

--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt
-CONSOLE ERROR: The Content Security Policy 'script-src 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-This test passes if a console message is present, warning about the missing 'report-uri' directive.
--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing.php
-<?php
-header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline';");
-?>
-<!DOCTYPE html>
-<html>
-<head>
-    <script>
-        if (window.testRunner) {
-          testRunner.dumpAsText();
-          testRunner.dumpPingLoaderCallbacks();
-        }
-        if (window.internals)
-          internals.settings.setExperimentalContentSecurityPolicyFeaturesEnabled(false);
-    </script>
-</head>
-<body>
-    <p>This test passes if a console message is present, warning about the missing 'report-uri' directive.</p>
-</body>
-</html>
--- a/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt
+++ b/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt
 CONSOLE ERROR: The Content Security Policy directive 'sandbox' is ignored when delivered in a report-only policy.
-CONSOLE ERROR: The Content Security Policy 'sandbox' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
 CONSOLE MESSAGE: line 4: Script executed in iframe.
 ALERT: PASS: Iframe was not in a unique origin