Open
Bug 1555177
Opened 4 years ago
Updated 3 years ago
Make WPT test service-workers/service-worker/fetch-csp.https.html pass
Categories
(Core :: DOM: Service Workers, defect, P3)
Core
DOM: Service Workers
Tracking
()
NEW
People
(Reporter: asuth, Unassigned)
References
Details
We've kept disabling it, but it passes for other servers.
From reading the test at https://searchfox.org/mozilla-central/source/testing/web-platform/tests/service-workers/service-worker/fetch-csp.https.html it:
- Registers a SW against https://searchfox.org/mozilla-central/source/testing/web-platform/tests/service-workers/service-worker/resources/fetch-csp-iframe.html
- That file has headers of
Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}served from https://searchfox.org/mozilla-central/source/testing/web-platform/tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers - The file also uses a meta http-equiv tag that gets tunneled through the URL.search.
- That file has headers of
- The frame is initially loaded with a URL.search that's the "img-src" equivalent of the initial headers severd (host_info['HTTPS_ORIGIN']), but also adds
script-src 'unsafe-inline'. - When it's time to test redirects, the frame is removed and re-loaded but with an img-src of REDIRECT_URL.
We fail when the SW performs a pass-through fetch that was redirected. (But we pass if the SW doesn't respondWIth at all and the interception gets reset.)
Apparently the spec bits are https://w3c.github.io/webappsec-csp/#source-list-paths-and-redirects.
|
Reporter | |
Updated•4 years ago
|
Priority: -- → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•