content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html is always TIMEOUT
Categories
(Core :: DOM: Security, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | fixed |
People
(Reporter: jmaher, Assigned: jmaher)
References
Details
Attachments
(2 files)
1.29 KB,
patch
|
Details | Diff | Splinter Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
There are two tests in content-security-policy/navigation/ which are expected TIMEOUT:
- content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
- content-security-policy/navigation/to-javascript-url-script-src.html
I have verified locally on windows 10 that these fail with TIMEOUT. I am not sure why this is the case, but I would prefer to remove tests that are designed to timeout so we can get faster test turnaround time and save machine time and money.
Assignee | ||
Comment 1•4 years ago
|
||
:jgraham, are these tests misconfigured in someway? do you know of a magic preference we can set?
Comment 2•4 years ago
|
||
It looks like we're blocking a different script compared to Chrome; the test expects a CSP violation when you try to execute the onclick
script but we get one on the initial load. I'm not enough of a CSP expert to know with confidence what's correct here.
Comment 3•4 years ago
|
||
(In reply to Joel Maher ( :jmaher ) (UTC-4) from comment #0)
There are two tests in content-security-policy/navigation/ which are expected TIMEOUT:
- content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html
In my opinion this test could be improved. As James indicated Firefox CSP implementation already blocks the onclick handler since inline scripts are not allowed by the defined CSP policy. Hence I guess it makes sense to define the securitypolicyviolation event on the top-level document (as in the attached patch) and not only on the iframe. Probably there is some additional problem with the fact that Firefox does not support script-src-attr
. Anyway, I think we could land my improvement to the test which would eliminate the timeout and would be forward compatible.
- content-security-policy/navigation/to-javascript-url-script-src.html
This one runs to completion correctly on my Ubtunu machine and is also not marked as TIMEOUT as far as I can tell (maybe that got updated between the ni? request and now?)
Comment 4•4 years ago
|
||
ah it seems attaching a patch causes bugzilla to assign the bug to me - that was not my intention here.
Assignee | ||
Comment 5•4 years ago
|
||
:ckerschb, do you want me to take the patch and verify it works everywhere and get it reviewed/landed?
Comment 6•4 years ago
|
||
(In reply to Joel Maher ( :jmaher ) (UTC-4) from comment #5)
:ckerschb, do you want me to take the patch and verify it works everywhere and get it reviewed/landed?
So while that patch would make the test succeed, I think it's better to mark the test as backlog
as you did with the other tests since we are not going to implement script-src-attr
anytime soon. If you could write the patch I am happy to review. thanks for doing all this!
Assignee | ||
Comment 7•4 years ago
|
||
mark content-security-policy/navigation/to-javascript-url-script-src.html as backlog(tier-2).
Updated•4 years ago
|
Pushed by jmaher@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ad9958d7404c mark content-security-policy/navigation/to-javascript-url-script-src.html as backlog(tier-2). r=ckerschb
Comment 9•4 years ago
|
||
bugherder |
Description
•