Closed Bug 1636129 Opened 9 months ago Closed 8 months ago

[wpt-sync] Sync PR 23461 - [Client-Hints] Fix cross-origin redirect leak

Categories

(Testing :: web-platform-tests, task, P4)

task

Tracking

(firefox78 fixed)

RESOLVED FIXED
mozilla78
Tracking Status
firefox78 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 23461 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/23461
Details from upstream follow.

Yoav Weiss <yoavweiss@chromium.org> wrote:

[Client-Hints] Fix cross-origin redirect leak

Client Hints are not supposed to be sent across cross-origin
redirects unless FeaturePolicy indicates that they should.
This CL enforces that and adds tests to that effect.

Bug: 911952
Change-Id: If3453409385b50f84b7ae188965b81c24f87dfc8

Reviewed-on: https://chromium-review.googlesource.com/2178572
WPT-Export-Revision: ef7793ee3fabc3224a7dace67b8ec2a39be4db31

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → INVALID
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 96 tests and 2 subtests

Status Summary

Firefox

OK : 23[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] 25[GitHub]
PASS: 55[GitHub] 115[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]
FAIL: 8[GitHub] 11[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]

Chrome

OK : 25
PASS: 56
FAIL: 7

Safari

OK : 25
PASS: 55
FAIL: 8

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/client-hints/accept-ch-stickiness/cross-origin-subresource-with-feature-policy.https.html
cross origin subresources authorized by FP gets it own resources got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/cross-origin-subresource-redirect-with-fp-delegation.https.html
cross-origin subresource redirect with Feature Policy delegaation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/same-origin-navigation-redirect.https.html
redirect on navigation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/http-equiv-same-origin-navigation.https.html
http-equiv same origin navigation got client hints according to expectations.: FAIL [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt], PASS [GitHub] (Chrome: PASS, Safari: PASS)
/client-hints/accept-ch-stickiness/cross-origin-iframe-redirect-with-fp-delegation.https.html
Iframe redirect with Feature Policy delegation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/http-equiv-cross-origin-navigation.https.html
http-equiv cross origin navigation got client hints according to expectations.: FAIL [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt], PASS [GitHub] (Chrome: PASS, Safari: PASS)
/client-hints/accept-ch-stickiness/same-origin-subresource-redirect-opted-in.https.html
same-origin subresource redirect with opt-in got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/http-equiv-same-origin-iframe.https.html
http-equiv same origin iframe got client hints according to expectations.: FAIL [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt], PASS [GitHub] (Chrome: PASS, Safari: PASS)
/client-hints/accept-ch-stickiness/same-origin-navigation.https.html
same origin navigation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/same-origin-navigation-no-accept-ch.https.html
empty-ch on navigation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)
/client-hints/accept-ch-stickiness/same-origin-iframe.https.html
same origin iframe got client hints according to expectations.: FAIL
/client-hints/accept-ch-stickiness/cross-origin-navigation.https.html
cross origin navigation got client hints according to expectations.: FAIL (Chrome: PASS, Safari: FAIL)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/40ad439415d7
[wpt PR 23461] - [Client-Hints] Fix cross-origin redirect leak, a=testonly
https://hg.mozilla.org/integration/autoland/rev/1e5dd41f8ad0
[wpt PR 23461] - Update wpt metadata, a=testonly
Status: REOPENED → RESOLVED
Closed: 9 months ago8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.