Closed Bug 1589379 Opened 6 years ago Closed 5 years ago

[wpt-sync] Sync PR 19758 - [Trusted Types] Handle navigation to javascript:-URLs as a TT violation.

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 19758 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/19758
Details from upstream follow.

Daniel Vogelheim <vogelheim@chromium.org> wrote:

[Trusted Types] Handle navigation to javascript:-URLs as a TT violation.

This adds a second CSP-triggered check when navigating to
javascript:-URLs. Newer Trusted Type spec versions treat this
similar to an assignment to a \<script> tag and run the TT
default policy on it.

The implementation is a bit more complicated, because this is
a TT check that does not normally occur during JS execution.

This updates the TT implementation to the latest spec version.

R=mkwst

Bug: 1002555
Change-Id: I4b815c74c5b9e3e4a11c7cc35c8668d32d2ae7e5
Reviewed-on: https://chromium-review.googlesource.com/1865313
WPT-Export-Revision: 24a0380fcd571117b4ea78d12d8a2ad80305363d

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

GitHub CI Results

wpt.fyi PR Results Base Results

Ran 1 tests and 4 subtests

Firefox

TIMEOUT: 2
NOTRUN : 3

Chrome

TIMEOUT: 2
NOTRUN : 3

Safari

TIMEOUT: 2
NOTRUN : 3

New tests that's don't pass

/trusted-types/trusted-types-navigation.tentative.html: Firefox: TIMEOUT, Chrome: TIMEOUT, Safari: TIMEOUT
Navigate a window with javascript:-urls w/ default policy in enforcing mode.: Firefox: NOTRUN, Chrome: NOTRUN, Safari: NOTRUN
Navigate a window with javascript:-urls in report-only mode.: Firefox: NOTRUN, Chrome: NOTRUN, Safari: NOTRUN
Navigate a window with javascript:-urls in enforcing mode.: Firefox: TIMEOUT, Chrome: TIMEOUT, Safari: TIMEOUT
Navigate a window with javascript:-urls w/ default policy in report-only mode.: Firefox: NOTRUN, Chrome: NOTRUN, Safari: NOTRUN

Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aff14f0417fa [wpt PR 19758] - [Trusted Types] Handle navigation to javascript:-URLs as a TT violation., a=testonly https://hg.mozilla.org/integration/autoland/rev/bcc073752446 [wpt PR 19758] - Update wpt metadata, a=testonly

https://hg.mozilla.org/mozilla-central/rev/aff14f0417fa
https://hg.mozilla.org/mozilla-central/rev/bcc073752446

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.