Closed Bug 1605266 Opened 4 years ago Closed 4 years ago

[wpt-sync] Sync PR 20877 - Origin policy: update CSP parsing to match the latest spec

Categories

(Testing :: web-platform-tests, task, P4)

task

Tracking

(firefox74 fixed)

RESOLVED FIXED
mozilla74
Tracking Status
firefox74 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 20877 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/20877
Details from upstream follow.

Domenic Denicola <domenic@chromium.org> wrote:

Origin policy: update CSP parsing to match the latest spec

This updates the parsing of the feature policy parts of the origin policy manifest to mostly match the latest spec draft at https://wicg.github.io/origin-policy/, in particular https://wicg.github.io/origin-policy/#parsing. That is, it moves away from "content-security-policy": [{ "policy": "string", "report-only" boolean }] to "content_security": { "policies": ["...CSP strings"], "policies_report_only": ["...CSP strings"] }.

Additionally, it removes the failure on parsing errors, as those are no longer in the spec.

This does not yet properly parse the CSP string as a CSP; instead it still treats it as a header (so, commas are allowed inside). A failing test is added for that case, which will be addressed in a followup CL.

Bug: 751996
Change-Id: I8d14815b486afd4a5622bc4b25874c81418fd38c
Reviewed-on: https://chromium-review.googlesource.com/1977148
WPT-Export-Revision: d4c152fb87d17570b33d2e8e347ecddb53d6c9c9

CI Results

Ran 0 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 11 tests and 1 subtests

Status Summary

Firefox

OK : 10
PASS : 6
FAIL : 8
TIMEOUT: 2

Chrome

OK : 10
PASS : 6
FAIL : 8
TIMEOUT: 2

Safari

OK : 10
PASS : 6
FAIL : 8
TIMEOUT: 2

Links

GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/origin-policy/content-security/valid.https.html
eval must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
/origin-policy/content-security/valid-with-semicolon.https.html
eval must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
img loading must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
/origin-policy/content-security/double-content-security.https.html
img loading must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
/origin-policy/content-security/trigger-violation-report-report-only.https.html: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
CSP via origin policy must trigger a securitypolicyviolation event even when the CSP is report-only: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
/origin-policy/content-security/double-policies.https.html
img loading must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
/origin-policy/content-security/valid-with-multi-item-array.https.html
eval must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
img loading must be disallowed: FAIL (Chrome: FAIL, Safari: FAIL)
/origin-policy/content-security/trigger-violation-report.https.html
CSP via origin policy must trigger a securitypolicyviolation event: FAIL (Chrome: FAIL, Safari: FAIL)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7cefde539bff
[wpt PR 20877] - Origin policy: update CSP parsing to match the latest spec, a=testonly
https://hg.mozilla.org/integration/autoland/rev/231be3a5a925
[wpt PR 20877] - Update wpt metadata, a=testonly
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.