[wpt-sync] Sync PR 23506 - [Security][Coop] Use COOP only if this is top level
Categories
(Core :: DOM: Core & HTML, task, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 23506 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/23506
Details from upstream follow.
Pâris Meuleman <pmeuleman@chromium.org> wrote:
[Security][Coop] Use COOP only if this is top level
COOP is used only in top level document, and COOP headers from iframes
are ignored. This led to an issue in the linked bug, where COOP prevents
a sandboxed iframe to load.The spec change corresponding to this is under review here:
https://whatpr.org/html/5334/browsing-the-web.htmlwith this relevant extract:
Let navigationCOOP be "unsafe-none". If browsingContext is a top-level browsing context, then: Set navigationCOOP to the result of obtaining a cross-origin opener policy given response and reservedEnvironment. If sandboxFlags is not empty and navigationCOOP is not "unsafe-none", then display the inline content with an appropriate error shown to the user, with the newly created Document object's origin set to a new opaque origin, run the environment discarding steps for reservedEnvironment, and return.Bug: 1081169
Change-Id: I2c0b59c84ca52f63436a2312529a4bb0351fff30
Reviewed-on: https://chromium-review.googlesource.com/2193771
WPT-Export-Revision: 5fb26cfd84e6bce455b10ba42bb00c23e690aef9
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Comment 2•5 years ago
|
||
CI Results
Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 72 tests
Status Summary
Firefox
OK : 1
PASS: 2[GitHub] 71[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview] 73[Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]
FAIL: 1
Chrome
OK : 1
PASS: 2
FAIL: 1
Safari
OK : 1
FAIL: 3
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/html/cross-origin-opener-policy/coop-sandbox.https.html: OK [Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt, GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview] (Chrome: OK, Safari: OK)
<iframe sandbox="allow-popups allow-scripts"> Sandboxed Cross-Origin-Opener-Policy popup should result in a network error: FAIL (Chrome: PASS, Safari: FAIL)
Tests Disabled in Gecko Infrastructure
/html/cross-origin-opener-policy/coop-sandbox.https.html: OK [Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt, GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview] (Chrome: OK, Safari: OK)
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Description
•