Open
Bug 1514230
Opened 5 years ago
Updated 2 years ago
[CSP] Firefox only failures for Web-Platform Tests
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: automatedtester, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: parity-chrome, parity-safari, Whiteboard: [domsecurity-backlog1])
The following tests fail in Firefox but pass in other browsers as documented in https://foolip.github.io/ad-hoc-wpt-results-analysis/firefox-lone-failures.html /content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html /content-security-policy/font-src/font-self-allowed.html /content-security-policy/generic/only-valid-whitespaces-are-allowed.html /content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html /content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html /content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html /content-security-policy/reporting/report-same-origin-with-cookies.html /content-security-policy/style-src/style-src-hash-default-src-allowed.html /content-security-policy/style-src/stylehash-default-src.sub.html
|
||
Comment 1•5 years ago
|
||
Some of those tests will be fixed within Bug 965637, in particular: * content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html * content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html We never send cookies for reports, no matter if same origin or cross origin, see: https://searchfox.org/mozilla-central/source/dom/security/nsCSPContext.cpp#1012 hence the following test is failing: * content-security-policy/reporting/report-same-origin-with-cookies.html It seems that our parser is to forgiving and also accepts invalid whitespaces, hence the following test is failing: * content-security-policy/generic/only-valid-whitespaces-are-allowed.html Our implementation does not hide 'nonce' content attribute, hence the following tests are failing: * content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html * content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html Ultimately we can take a closer look and fix those few wpt-tests for CSP, but I would like to defer to after Bug 965637 has landed (which should happen end of Q1) which definitely makes things a whole lot easier.
|
|
||
Comment 2•5 years ago
|
||
As mentioned in comment 1 some of those will get fixed within Bug 965637, hence adding Bug 965637 as a dependency.
Depends on: 965637
|
||
Comment 3•5 years ago
|
||
We should add separate dependency bugs for the other issues, too, and make this a tracking bug. Otherwise things will get missed.
|
|
||
Updated•5 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [domsecurity-active]
|
Reporter | |
Updated•5 years ago
|
Keywords: parity-chrome,
parity-safari
|
|
||
Comment 4•3 years ago
|
||
Putting this one back in the backlog, we have some higher priority work to finish...
Assignee: ckerschb → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•