Closed Bug 1468173 Opened 3 years ago Closed 3 years ago

[wpt-sync] Sync PR 11457 - Completed 'unsafe-hashes' per spec

Categories

(Core :: DOM: Security, enhancement, P4)

enhancement

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 11457 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/11457
Details from upstream follow.

Andy Paicu <andypaicu@chromium.org> wrote:
>  Completed 'unsafe-hashes' per spec
>  
>  'unsafe-hashed-attributes' renamed to 'unsafe-hashes'
>  'unsafe-hashes' matches style attributes correctly now
>  'unsafe-hashes' works for javascript: URLs
>  'unsafe-hashes' tests added and ammended
>  
>  spec (approved and to be submitted at the same time as this CR):
>  https://github.com/w3c/webappsec-csp/pull/311
>  
>  Bug: 771922
>  Change-Id: I018cc0f73d492cb4057ff4c41d9be4df8438036c
>  
>  Reviewed-on: https://chromium-review.googlesource.com/1095217
>  WPT-Export-Revision: fcf4f46b43b2b5a038cc7ed9dd55c9348ff70d10
Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Ran 21 tests and 37 subtests
OK     : 16
PASS   : 5
FAIL   : 18
TIMEOUT: 3
ERROR  : 4
NOTRUN : 12

New tests that have failures or other problems:
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html: ERROR
    Effective policy is properly found where 'unsafe-hashes' is not subsumed.: FAIL
    No other keyword has the same effect as 'unsafe-hashes'.: FAIL
    Other expressions have to be subsumed.: FAIL
    Required csp must allow 'unsafe-hashes'.: FAIL
/content-security-policy/unsafe-hashes/javascript_src_allowed-href.html
    Test that the javascript: src is allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank.html
    Test that the javascript: src is allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_allowed-window_location.html
    Test that the javascript: src is allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_allowed-window_open.html
    Test that the javascript: src is allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
    Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/script_event_handlers_allowed.html
    Test that the inline event handler is allowed to run: FAIL
/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes.html
    Test that the inline event handler is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
    Test that the inline event handler is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/style_attribute_allowed.html: ERROR
    Test that the inline style attribute is loaded: NOTRUN
/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html: TIMEOUT
    Test that the inline style attribute is blocked: NOTRUN
/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
    Test that the inline style attribute is blocked: FAIL
Pushed by james@hoppipolla.co.uk:
https://hg.mozilla.org/integration/mozilla-inbound/rev/08ae28934584
[wpt PR 11457] - Completed 'unsafe-hashes' per spec, a=testonly
https://hg.mozilla.org/integration/mozilla-inbound/rev/948f128a6992
[wpt PR 11457] - Update wpt metadata, a=testonly
https://hg.mozilla.org/mozilla-central/rev/08ae28934584
https://hg.mozilla.org/mozilla-central/rev/948f128a6992
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.