Closed
Bug 1487661
Opened 6 years ago
Closed 6 years ago
[wpt-sync] Sync PR 12776 - Implement script and style attr/elem CSP directives
Categories
(Core :: DOM: Security, enhancement, P4)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 12776 into mozilla-central (this bug is closed when the sync is complete). PR: https://github.com/web-platform-tests/wpt/pull/12776 Details from upstream follow. Andy Paicu <andypaicu@chromium.org> wrote: > Implement script and style attr/elem CSP directives > > The functionality is behind the > ContentSecurityPolicyExperimentalFeaturesEnabled flag > > I2IS: Coming Soon > > Spec: > https://w3c.github.io/webappsec-csp/#directive-script-src-elem > https://w3c.github.io/webappsec-csp/#directive-script-src-attr > https://w3c.github.io/webappsec-csp/#directive-style-src-elem > https://w3c.github.io/webappsec-csp/#directive-style-src-attr > > Change-Id: Ic1638cac15c7ec488fcc7a4c9f6261b97502090a > > Reviewed-on: https://chromium-review.googlesource.com/1181050 > WPT-Export-Revision: 7ebbcd97e6e8b79fdef2d105fa0de195146dbe1e
|
Assignee | |
Updated•6 years ago
|
Component: web-platform-tests → DOM: Security
Product: Testing → Core
|
|
Assignee | |
Comment 1•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=50fe6dee3f1c529fbfc25d6a6d2573ec336154e1
|
|
Assignee | |
Comment 2•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=89ded9ea9bbfe99a70f1c26f3789df30ed5f0fc6
|
|
Assignee | |
Comment 3•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=e51123bc81d97e4440f84a51df8b7af4bef062f1
|
|
Assignee | |
Comment 4•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=8aeca76c9f2dd3ce71e45a4c5d9ab982912a6a11
|
||
Updated•6 years ago
|
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
|
|
Assignee | |
Comment 5•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=ca7bea99fb716c4c9a6f4bba4547234d67e398d0
|
|
Assignee | |
Updated•6 years ago
|
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
|
|
||
Updated•6 years ago
|
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
|
|
Assignee | |
Comment 6•6 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=8d2f91823c93f0cd4f7d7027dc2b6a169fd87e0b
|
|
Assignee | |
Comment 7•6 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=8639509c57fb1d96aa5a6462ea1ac755a5103f6e
|
|
Assignee | |
Comment 8•6 years ago
|
||
Ran 70 tests and 117 subtests
OK : 57
PASS : 30
FAIL : 72
TIMEOUT: 17
NOTRUN : 11
Existing tests that now have a worse result (e.g. they used to PASS and now FAIL):
/content-security-policy/generic/generic-0_10_1.sub.html
Should fire violation events for every failed violation: FAIL
/content-security-policy/generic/generic-0_2_2.sub.html
Should fire violation events for every failed violation: FAIL
/content-security-policy/generic/generic-0_2_3.html
Should fire violation events for every failed violation: FAIL
/content-security-policy/generic/generic-0_8_1.sub.html
Should fire violation events for every failed violation: FAIL
/content-security-policy/script-src/javascript-window-open-blocked.html
Check that a securitypolicyviolation event is fired: FAIL
/content-security-policy/script-src/script-src-1_2_1.html
Test that securitypolicyviolation event is fired: FAIL
/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html
Test that the securitypolicyviolation event is fired: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_discard_whitelist.html
Whitelisted script without a correct nonce is not allowed with `strict-dynamic`.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html
Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_double_policy_report_only.html
Script injected via `appendChild` is allowed with `strict-dynamic` + Report-Only `script-src 'none'` policy.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html
Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html
All the expected CSP violation reports have been fired.: FAIL
/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html
Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.: FAIL
Script injected via `innerHTML` is not allowed with `strict-dynamic`.: FAIL
Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.: FAIL
/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
Should fire securitypolicyviolation: FAIL
/content-security-policy/script-src/scriptnonce-and-scripthash.sub.html
Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]: FAIL
/content-security-policy/style-src/style-src-hash-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-imported-style-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-injected-inline-style-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-inline-style-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-none-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html
Should fire a securitypolicyviolation event: FAIL
/content-security-policy/style-src/stylenonce-allowed.sub.html
Should fire securitypolicyviolation: FAIL
/content-security-policy/style-src/stylenonce-blocked.sub.html
Should fire securitypolicyviolation: FAIL
/content-security-policy/svg/svg-inline.sub.html
Should fire violation event: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html
Test that the javascript: src is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html
Test that the inline event handler is not allowed to run: FAIL
/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html
Test that the inline style attribute is blocked: FAIL
New tests that have failures or other problems:
/content-security-policy/blob/blob-urls-do-not-match-self.sub.html
Expecting logs: ["violated-directive=script-src-elem"]: FAIL
/content-security-policy/default-src/default-src-inline-blocked.sub.html
Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"]: FAIL
/content-security-policy/meta/combine-header-and-meta-policies.sub.html
Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]: FAIL
/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked.html
Should not fire a security policy violation event: FAIL
/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed.html: TIMEOUT
Should fire a security policy violation event: NOTRUN
/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked.html: TIMEOUT
Should fire a security policy violation for the attribute: NOTRUN
/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked.html
Should not fire a security policy violation event: FAIL
/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed.html: TIMEOUT
Should fire a security policy violation for the attribute: NOTRUN
/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed.html: TIMEOUT
Should fire a spv event: NOTRUN
/content-security-policy/script-src-attr-elem/strict-dynamic-elem-allowed-src-blocked.html
Should not fire a security policy violation event: FAIL
/content-security-policy/script-src-attr-elem/strict-dynamic-elem-blocked-src-allowed.sub.html
Should fire a security policy violation event: FAIL
/content-security-policy/script-src/injected-inline-script-blocked.sub.html
Expecting logs: ["violated-directive=script-src-elem",]: FAIL
/content-security-policy/script-src/script-src-1_1.html
Should fire policy violation events: FAIL
/content-security-policy/script-src/script-src-1_2.html
Should fire policy violation events: FAIL
/content-security-policy/script-src/scriptnonce-basic-blocked.sub.html
Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]: FAIL
/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub.html
Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]: FAIL
/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html
Expecting logs: ["violated-directive=script-src-elem"]: FAIL
/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked.html
Should apply the style attribute: FAIL
/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html: TIMEOUT
Should fire a security policy violation event: NOTRUN
The attribute style should not be applied: FAIL
/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html: TIMEOUT
Should fire a security policy violation for the attribute: NOTRUN
The attribute style should not be applied and the inline style should be applied: FAIL
/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked.html
Inline style should be applied: FAIL
/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html: TIMEOUT
Should fire a security policy violation for the inline block: NOTRUN
The inline style should not be applied and the attribute style should be applied: FAIL
/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html: TIMEOUT
Should fire a security policy violation event: NOTRUN
The inline style should not be applied: FAIL
/content-security-policy/style-src/injected-inline-style-blocked.sub.html
Expecting logs: ["violated-directive=style-src-elem","PASS"]: FAIL
/content-security-policy/style-src/inline-style-attribute-blocked.sub.html
Expecting logs: ["violated-directive=style-src-attr","PASS"]: FAIL
/content-security-policy/style-src/stylehash-basic-blocked.sub.html
Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]: FAIL
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2cf2fa194118 [wpt PR 12776] - Implement script and style attr/elem CSP directives, a=testonly https://hg.mozilla.org/integration/mozilla-inbound/rev/8e76f8bf65f2 [wpt PR 12776] - Update wpt metadata, a=testonly
|
||
Comment 10•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/2cf2fa194118 https://hg.mozilla.org/mozilla-central/rev/8e76f8bf65f2
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•