[wpt-sync] Sync PR 24311 - Implement CSPEE Blanket Enforcement logic out-of-blink
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
Tracking | Status | |
---|---|---|
firefox80 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 24311 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/24311
Details from upstream follow.
Antonio Sartori <antoniosartori@chromium.org> wrote:
Implement CSPEE Blanket Enforcement logic out-of-blink
This changes adds to the AncestorThrottle a check for the step
"Does response allow blanket enforcement of policy from request" of
Content Security Policy: Embedded Enforcement:
https://w3c.github.io/webappsec-cspee/#origin-allowed Behind the flagThis is one of the steps of moving CSPEE out-of-blink and is hidden
under the flag network::features::kOutOfBlinkCSPEE.Change-Id: Id3092322134e055810d4006e63e6974ee64315be
Bug: 1094909
Reviewed-on: https://chromium-review.googlesource.com/2218019
WPT-Export-Revision: 19580155fcd405edaa20e2f43ac5cfdbc0a2538e
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=54c95c062514de047b0f497a370013fb9c0aa9c5
Assignee | ||
Comment 2•4 years ago
|
||
CI Results
Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 18 tests and 9 subtests
Status Summary
Firefox
OK : 18
PASS : 174
FAIL : 89
Chrome
OK : 18
PASS : 263
Safari
OK : 17
PASS : 171
FAIL : 89
TIMEOUT: 4
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: TIMEOUT)
Effective returned csp allows 'unsafe-inline': FAIL (Chrome: PASS, Safari: FAIL)
Required csp does not allow unsafe-inline
, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp allows strict-dynamic
, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a nonce.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a hash.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Iframe with a different CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with empty returned CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with less restricting CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
'sha256-abc123' is not subsumed by 'sha256-abc456'.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Returned should not include hashes not present in required csp.: FAIL (Chrome: PASS, Safari: FAIL)
Hashes do not have to be present in returned csp but must not allow all inline behavior.: FAIL (Chrome: PASS, Safari: FAIL)
Effective policy is properly found where 'sha256-abc123' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'sha256-abc123'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Two same-origin iframes must appear as cross-origin when one is blocked: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
More specific subdomain should not match.: FAIL (Chrome: PASS, Safari: FAIL)
Host must match.: FAIL (Chrome: PASS, Safari: FAIL)
Hosts without wildcards must match.: FAIL (Chrome: PASS, Safari: FAIL)
Specified host should not match a wildcard host.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Returned CSP must not allow 'self' if required CSP does not.: FAIL (Chrome: PASS, Safari: FAIL)
Returned 'self' should not be subsumed by a more secure version of origin's url.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Wildcard port should not be subsumed by a default port.: FAIL (Chrome: PASS, Safari: FAIL)
Specified ports must match.: FAIL (Chrome: PASS, Safari: FAIL)
Wildcard port should not be subsumed by a spcified port.: FAIL (Chrome: PASS, Safari: FAIL)
Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Effective policy is properly found where 'unsafe-hashes' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
No other keyword has the same effect as 'unsafe-hashes'.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'unsafe-hashes'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
'strict-dynamic' is properly handled for finding effective policy.: FAIL (Chrome: PASS, Safari: FAIL)
'strict-dynamic' is effective only for script-src
.: FAIL (Chrome: PASS, Safari: FAIL)
'strict-dynamic' has to be allowed by required csp if it is present in returned csp.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
A nonce has to be returned if required by the embedder.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions still have to be subsumed - negative test: FAIL (Chrome: PASS, Safari: FAIL)
Nonce intersection is still done on exact match - matching nonces.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Returned CSP must specify a path.: FAIL (Chrome: PASS, Safari: FAIL)
That should not be true when required csp specifies a specific page.: FAIL (Chrome: PASS, Safari: FAIL)
Empty path is not subsumed by specified paths.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
If scheme source is present in returned csp, it must be specified in required csp too.: FAIL (Chrome: PASS, Safari: FAIL)
http:
does not subsume other protocols.: FAIL (Chrome: PASS, Safari: FAIL)
https
is more restrictive than http
.: FAIL (Chrome: PASS, Safari: FAIL)
All scheme sources must be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of src
attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - url encoded string: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Send Sec-Required-CSP when csp
attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP Header on change of src
attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when csp
attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Send Sec-Required-CSP Header on change of src
attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - report-to present: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - html encoded string: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Sec-Required-CSP is not sent if csp
attribute is not set on <iframe>.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - comma separated: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP Header on change of src
attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP Header on change of src
attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP when csp
attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - report-uri present: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP when csp
attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp
change: Wrong value of csp
should not trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP when csp
attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/allow_csp_from-header.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Star Allow-CSP-From header enforces EmbeddingCSP.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with improper Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Allow-CSP-From header enforces EmbeddingCSP.: FAIL (Chrome: PASS, Safari: FAIL)
Cross origin iframe with an empty Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Cross origin iframe without Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Effective policy is properly found where 'unsafe-eval' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'unsafe-eval'.: FAIL (Chrome: PASS, Safari: FAIL)
No other keyword has the same effect as 'unsafe-eval'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Both required and returned csp are none
for only one directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required policy that allows none
does not subsume empty list of policies.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none
does not subsume none
of different directives.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none
does not subsume none
of another directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none
does not subsume a host source expression.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with effective none
does not subsume none
of another directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with effective none
does not subsume a host source expression.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Test same origin: Test no policy on first iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (bad directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (bad directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test less restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test same policy for both iframes: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test more restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test no policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)
Tests Disabled in Gecko Infrastructure
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: TIMEOUT)
/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/allow_csp_from-header.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview
, Gecko-android-em-7.0-x86_64-opt-geckoview
, Gecko-linux1804-64-debug
, Gecko-linux1804-64-opt
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-windows10-64-debug
, Gecko-windows10-64-opt
, Gecko-windows10-64-qr-debug
, Gecko-windows10-64-qr-opt
, Gecko-windows7-32-debug
, Gecko-windows7-32-opt
] (Chrome: OK, Safari: OK)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d56a1333e651 [wpt PR 24311] - Implement CSPEE Blanket Enforcement logic out-of-blink, a=testonly
Comment 4•4 years ago
|
||
bugherder |
Description
•