Closed Bug 1636041 Opened 1 year ago Closed 11 months ago

[wpt-sync] Sync PR 23421 - Use original URL before redirects as blocked URL in CSP reporting

Categories

(Core :: DOM: Security, task, P4)

task

Tracking

()

RESOLVED FIXED
mozilla78
Tracking Status
firefox78 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 23421 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/23421
Details from upstream follow.

Antonio Sartori <antoniosartori@chromium.org> wrote:

Use original URL before redirects as blocked URL in CSP reporting

When a resource was being blocked because of a Content Security Policy
violation after a redirect happened, we were using the final
URL (after the redirect) in the CSP reporting. This is a security
issue, since it could expose confidential information such as a token
contained in the redirect URL. As stated in
https://w3c.github.io/webappsec-csp/#create-violation-for-request
("We use request's url, and not its current url, as the latter might
contain information about redirect targets to which the page MUST NOT
be given access."), whe should instead report the request's original URL.

Bug: 932892
Change-Id: I1864e6e9e4cc266615e49276012ba7f9d96672f7
Fixed: 932892
Reviewed-on: https://chromium-review.googlesource.com/2181363
WPT-Export-Revision: 7f86c4f528d11239628a00c85054fdde83e64de1

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → INVALID
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 73 tests

Status Summary

Firefox

OK : 2
PASS : 5[GitHub] 76[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]
FAIL : 1

Chrome

OK : 1
PASS : 3
FAIL : 1
TIMEOUT: 3

Safari

OK : 1
PASS : 2
FAIL : 1
TIMEOUT: 4

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub.html
Violation report status OK.: FAIL (Chrome: FAIL, Safari: FAIL)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1b701fb3c804
[wpt PR 23421] - Use original URL before redirects as blocked URL in CSP reporting, a=testonly
https://hg.mozilla.org/integration/autoland/rev/82af86b48e9f
[wpt PR 23421] - Update wpt metadata, a=testonly
Status: REOPENED → RESOLVED
Closed: 11 months ago11 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.