Closed
Bug 1487661
Opened 6 years ago
Closed 6 years ago
[wpt-sync] Sync PR 12776 - Implement script and style attr/elem CSP directives
Categories
(Core :: DOM: Security, enhancement, P4)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 12776 into mozilla-central (this bug is closed when the sync is complete). PR: https://github.com/web-platform-tests/wpt/pull/12776 Details from upstream follow. Andy Paicu <andypaicu@chromium.org> wrote: > Implement script and style attr/elem CSP directives > > The functionality is behind the > ContentSecurityPolicyExperimentalFeaturesEnabled flag > > I2IS: Coming Soon > > Spec: > https://w3c.github.io/webappsec-csp/#directive-script-src-elem > https://w3c.github.io/webappsec-csp/#directive-script-src-attr > https://w3c.github.io/webappsec-csp/#directive-style-src-elem > https://w3c.github.io/webappsec-csp/#directive-style-src-attr > > Change-Id: Ic1638cac15c7ec488fcc7a4c9f6261b97502090a > > Reviewed-on: https://chromium-review.googlesource.com/1181050 > WPT-Export-Revision: 7ebbcd97e6e8b79fdef2d105fa0de195146dbe1e
Assignee | ||
Updated•6 years ago
|
Component: web-platform-tests → DOM: Security
Product: Testing → Core
Assignee | ||
Comment 1•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=50fe6dee3f1c529fbfc25d6a6d2573ec336154e1
Assignee | ||
Comment 2•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=89ded9ea9bbfe99a70f1c26f3789df30ed5f0fc6
Assignee | ||
Comment 3•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=e51123bc81d97e4440f84a51df8b7af4bef062f1
Assignee | ||
Comment 4•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=8aeca76c9f2dd3ce71e45a4c5d9ab982912a6a11
Updated•6 years ago
|
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Assignee | ||
Comment 5•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=ca7bea99fb716c4c9a6f4bba4547234d67e398d0
Assignee | ||
Updated•6 years ago
|
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Updated•6 years ago
|
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Assignee | ||
Comment 6•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=8d2f91823c93f0cd4f7d7027dc2b6a169fd87e0b
Assignee | ||
Comment 7•6 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=8639509c57fb1d96aa5a6462ea1ac755a5103f6e
Assignee | ||
Comment 8•6 years ago
|
||
Ran 70 tests and 117 subtests OK : 57 PASS : 30 FAIL : 72 TIMEOUT: 17 NOTRUN : 11 Existing tests that now have a worse result (e.g. they used to PASS and now FAIL): /content-security-policy/generic/generic-0_10_1.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_2_2.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_2_3.html Should fire violation events for every failed violation: FAIL /content-security-policy/generic/generic-0_8_1.sub.html Should fire violation events for every failed violation: FAIL /content-security-policy/script-src/javascript-window-open-blocked.html Check that a securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-1_2_1.html Test that securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html Test that the securitypolicyviolation event is fired: FAIL /content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html All the expected CSP violation reports have been fired.: FAIL /content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL Script injected via `innerHTML` is not allowed with `strict-dynamic`.: FAIL Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.: FAIL /content-security-policy/script-src/scripthash-unicode-normalization.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/script-src/scriptnonce-and-scripthash.sub.html Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]: FAIL /content-security-policy/style-src/style-src-hash-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-imported-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-injected-inline-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-attribute-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-inline-style-nonce-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-none-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html Should fire a securitypolicyviolation event: FAIL /content-security-policy/style-src/stylenonce-allowed.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/style-src/stylenonce-blocked.sub.html Should fire securitypolicyviolation: FAIL /content-security-policy/svg/svg-inline.sub.html Should fire violation event: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html Test that the javascript: src is not allowed to run: FAIL /content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html Test that the inline event handler is not allowed to run: FAIL /content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html Test that the inline style attribute is blocked: FAIL New tests that have failures or other problems: /content-security-policy/blob/blob-urls-do-not-match-self.sub.html Expecting logs: ["violated-directive=script-src-elem"]: FAIL /content-security-policy/default-src/default-src-inline-blocked.sub.html Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"]: FAIL /content-security-policy/meta/combine-header-and-meta-policies.sub.html Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]: FAIL /content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN /content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html: TIMEOUT Should fire a spv event: NOTRUN /content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html Should not fire a security policy violation event: FAIL /content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html Should fire a security policy violation event: FAIL /content-security-policy/script-src/injected-inline-script-blocked.sub.html Expecting logs: ["violated-directive=script-src-elem",]: FAIL /content-security-policy/script-src/script-src-1_1.html Should fire policy violation events: FAIL /content-security-policy/script-src/script-src-1_2.html Should fire policy violation events: FAIL /content-security-policy/script-src/scriptnonce-basic-blocked.sub.html Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]: FAIL /content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]: FAIL /content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html Expecting logs: ["violated-directive=script-src-elem"]: FAIL /content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html Should apply the style attribute: FAIL /content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN The attribute style should not be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html: TIMEOUT Should fire a security policy violation for the attribute: NOTRUN The attribute style should not be applied and the inline style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html Inline style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html: TIMEOUT Should fire a security policy violation for the inline block: NOTRUN The inline style should not be applied and the attribute style should be applied: FAIL /content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html: TIMEOUT Should fire a security policy violation event: NOTRUN The inline style should not be applied: FAIL /content-security-policy/style-src/injected-inline-style-blocked.sub.html Expecting logs: ["violated-directive=style-src-elem","PASS"]: FAIL /content-security-policy/style-src/inline-style-attribute-blocked.sub.html Expecting logs: ["violated-directive=style-src-attr","PASS"]: FAIL /content-security-policy/style-src/stylehash-basic-blocked.sub.html Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]: FAIL
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2cf2fa194118 [wpt PR 12776] - Implement script and style attr/elem CSP directives, a=testonly https://hg.mozilla.org/integration/mozilla-inbound/rev/8e76f8bf65f2 [wpt PR 12776] - Update wpt metadata, a=testonly
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2cf2fa194118 https://hg.mozilla.org/mozilla-central/rev/8e76f8bf65f2
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•