CSP violation reports should report the pre-redirect URL.
Before this patch, blocked cross-origin resource URLs are stripped down
to their origin before being reported to a policy's `report-uri` (same-origin
resources are reported in full). This doesn't match the specced behavior,
which suggests that we ought to be reporting the originally requested URL,
even if the blocked resource is the result of a redirect.
That is, given a policy which blocks `<img src='https://example.test/img.jpg'>`
directly, the report should contain `https://example.test/img.jpg`. If
that URL is allowed, but redirects to `https://example.test/other.jpg`,
which is blocked the report should still contain `https://example.test/img.jpg`
(see the note in https://w3c.github.io/webappsec-csp/#create-violation-for-request
for detail).
This patch gets us ~halfway there, by altering the behavior of
`stripURLForUseInReport` to take account of the redirect status of the blocked
resource. If it has been redirected, we'll keep the status quo stripping behavior.
If it hasn't been redirected, we'll report the entire URL.
A future patch will get redirects working entirely correctly, but given the
value of reporting for things like mixed content detection, I don't think it's
worth waiting for a full patch; there's enough value here over the
status quo to land it and merge it back a bit.
BUG=613960
Review-Url: https://codereview.chromium.org/2002943002
Cr-Commit-Position: refs/heads/master@{#396726}
16 files changed
