Closed Bug 1638372 Opened 5 years ago Closed 5 years ago

[wpt-sync] Sync PR 23637 - CSP embedder enforcement: Stop removing the allow-origin flag.

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 23637 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/23637
Details from upstream follow.

arthursonzogni <arthursonzogni@chromium.org> wrote:

CSP embedder enforcement: Stop removing the allow-origin flag.

The origin of the error page is already an opaque data-url.
Updating the sandbox flags isn't necessary.
This unlocks https://crbug.com/1041376. After that, the browser
is able to compute the sandbox flags by itself, without relying
on the (potentially compromised) renderer process.

Bug: 1041376
Change-Id: Ida3635d4a07bcb486072b7dd6a271317fe274939

Reviewed-on: https://chromium-review.googlesource.com/2203199
WPT-Export-Revision: ec96231f519a701784e7090c56b1e191a5ebd6fd

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 72 tests

Status Summary

Firefox

OK : 1
PASS: 2[GitHub] 71[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]

Chrome

OK : 1
PASS: 2

Safari

OK : 1
PASS: 2

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)

Tests Disabled in Gecko Infrastructure

/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)

Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6577f2e67af5 [wpt PR 23637] - CSP embedder enforcement: Stop removing the allow-origin flag., a=testonly

https://hg.mozilla.org/mozilla-central/rev/6577f2e67af5

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.