angler-fishThe Vulnerability History Project

CSP: Strip the fragment from reported URLs.

      We should have been stripping the fragment from the URL we report for
CSP violations, but we weren't. Now we are, by running the URLs through
`stripURLForUseInReport()`, which implements the stripping algorithm
from CSP2: https://www.w3.org/TR/CSP2/#strip-uri-for-reporting

Eventually, we will migrate more completely to the CSP3 world that
doesn't require such detailed stripping, as it exposes less data to the
reports, but we're not there yet.

BUG=678776

Review-Url: https://codereview.chromium.org/2619783002
Cr-Commit-Position: refs/heads/master@{#458045}
by Wallace the Slow Worm 2017-03-20 12:42:10 UTC
commit fea16c8b60ff3d0756d5eb392394963b647bc41a
Chromium Fix CVE-2017-5075
third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-strips-fragment.html
-20
third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+3 -12
expand_less