Closed Bug 1487661 Opened 7 years ago Closed 7 years ago

[wpt-sync] Sync PR 12776 - Implement script and style attr/elem CSP directives

Categories

(Core :: DOM: Security, enhancement, P4)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox64 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 12776 into mozilla-central (this bug is closed when the sync is complete). PR: https://github.com/web-platform-tests/wpt/pull/12776 Details from upstream follow. Andy Paicu <andypaicu@chromium.org> wrote: > Implement script and style attr/elem CSP directives > > The functionality is behind the > ContentSecurityPolicyExperimentalFeaturesEnabled flag > > I2IS: Coming Soon > > Spec: > https://w3c.github.io/webappsec-csp/#directive-script-src-elem > https://w3c.github.io/webappsec-csp/#directive-script-src-attr > https://w3c.github.io/webappsec-csp/#directive-style-src-elem > https://w3c.github.io/webappsec-csp/#directive-style-src-attr > > Change-Id: Ic1638cac15c7ec488fcc7a4c9f6261b97502090a > > Reviewed-on: https://chromium-review.googlesource.com/1181050 > WPT-Export-Revision: 7ebbcd97e6e8b79fdef2d105fa0de195146dbe1e
Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Ran 70 tests and 117 subtests OK : 57 PASS : 30 FAIL : 72 TIMEOUT: 17 NOTRUN : 11 Existing tests that now have a worse result (e.g. they used to PASS and now FAIL): /content-security-policy/generic/generic-0_10_1.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_2_2.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_2_3.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_8_1.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/script-src/javascript-window-open-blocked.html Check that a securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-1_2_1.html Test that securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html Test that the securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html All the expected CSP violation reports have been fired.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Script injected via `innerHTML` is not allowed with `strict-dynamic`.: FAIL Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/scripthash-unicode-normalization.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/script-src/scriptnonce-and-scripthash.sub.html Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]: FAIL /content-security-policy/style-src/style-src-hash-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-imported-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-injected-inline-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-attribute-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-nonce-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-none-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/stylenonce-allowed.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/style-src/stylenonce-blocked.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/svg/svg-inline.sub.html Should fire violation event: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html Test that the inline event handler is not allowed to run: FAIL /content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html Test that the inline style attribute is blocked: FAIL New tests that have failures or other problems: /content-security-policy/blob/blob-urls-do-not-match-self.sub.html Expecting logs: ["violated-directive=script-src-elem"]: FAIL /content-security-policy/default-src/default-src-inline-blocked.sub.html Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"]: FAIL /content-security-policy/meta/combine-header-and-meta-policies.sub.html Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]: FAIL /content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html: TIMEOUT Should fire a spv event: NOTRUN /content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html Should fire a security policy violation event: FAIL /content-security-policy/script-src/injected-inline-script-blocked.sub.html Expecting logs: ["violated-directive=script-src-elem",]: FAIL /content-security-policy/script-src/script-src-1_1.html Should fire policy violation events: FAIL /content-security-policy/script-src/script-src-1_2.html Should fire policy violation events: FAIL /content-security-policy/script-src/scriptnonce-basic-blocked.sub.html Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]: FAIL /content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]: FAIL /content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html Expecting logs: ["violated-directive=script-src-elem"]: FAIL /content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html Should apply the style attribute: FAIL /content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN The attribute style should not be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN The attribute style should not be applied and the inline style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html Inline style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html: TIMEOUT Should fire a security policy violation for the inline block: NOTRUN The inline style should not be applied and the attribute style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN The inline style should not be applied: FAIL /content-security-policy/style-src/injected-inline-style-blocked.sub.html Expecting logs: ["violated-directive=style-src-elem","PASS"]: FAIL /content-security-policy/style-src/inline-style-attribute-blocked.sub.html Expecting logs: ["violated-directive=style-src-attr","PASS"]: FAIL /content-security-policy/style-src/stylehash-basic-blocked.sub.html Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]: FAIL
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2cf2fa194118 [wpt PR 12776] - Implement script and style attr/elem CSP directives, a=testonly https://hg.mozilla.org/integration/mozilla-inbound/rev/8e76f8bf65f2 [wpt PR 12776] - Update wpt metadata, a=testonly
https://hg.mozilla.org/mozilla-central/rev/2cf2fa194118 https://hg.mozilla.org/mozilla-central/rev/8e76f8bf65f2
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.