Closed Bug 1647715 Opened 4 years ago Closed 4 years ago

[wpt-sync] Sync PR 24311 - Implement CSPEE Blanket Enforcement logic out-of-blink

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 24311 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/24311
Details from upstream follow.

Antonio Sartori <antoniosartori@chromium.org> wrote:

Implement CSPEE Blanket Enforcement logic out-of-blink

This changes adds to the AncestorThrottle a check for the step
"Does response allow blanket enforcement of policy from request" of
Content Security Policy: Embedded Enforcement:
https://w3c.github.io/webappsec-cspee/#origin-allowed Behind the flag

This is one of the steps of moving CSPEE out-of-blink and is hidden
under the flag network::features::kOutOfBlinkCSPEE.

Change-Id: Id3092322134e055810d4006e63e6974ee64315be
Bug: 1094909
Reviewed-on: https://chromium-review.googlesource.com/2218019
WPT-Export-Revision: 19580155fcd405edaa20e2f43ac5cfdbc0a2538e

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 18 tests and 9 subtests

Status Summary

Firefox

OK : 18
PASS : 174
FAIL : 89

Chrome

OK : 18
PASS : 263

Safari

OK : 17
PASS : 171
FAIL : 89
TIMEOUT: 4

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: TIMEOUT)
Effective returned csp allows 'unsafe-inline': FAIL (Chrome: PASS, Safari: FAIL)
Required csp does not allow unsafe-inline, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp allows strict-dynamic, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a nonce.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a hash.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Iframe with a different CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with empty returned CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with less restricting CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
'sha256-abc123' is not subsumed by 'sha256-abc456'.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Returned should not include hashes not present in required csp.: FAIL (Chrome: PASS, Safari: FAIL)
Hashes do not have to be present in returned csp but must not allow all inline behavior.: FAIL (Chrome: PASS, Safari: FAIL)
Effective policy is properly found where 'sha256-abc123' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'sha256-abc123'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Two same-origin iframes must appear as cross-origin when one is blocked: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
More specific subdomain should not match.: FAIL (Chrome: PASS, Safari: FAIL)
Host must match.: FAIL (Chrome: PASS, Safari: FAIL)
Hosts without wildcards must match.: FAIL (Chrome: PASS, Safari: FAIL)
Specified host should not match a wildcard host.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Returned CSP must not allow 'self' if required CSP does not.: FAIL (Chrome: PASS, Safari: FAIL)
Returned 'self' should not be subsumed by a more secure version of origin's url.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Wildcard port should not be subsumed by a default port.: FAIL (Chrome: PASS, Safari: FAIL)
Specified ports must match.: FAIL (Chrome: PASS, Safari: FAIL)
Wildcard port should not be subsumed by a spcified port.: FAIL (Chrome: PASS, Safari: FAIL)
Returned CSP should be subsumed if the port is specified but is not default for a more secure scheme.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Effective policy is properly found where 'unsafe-hashes' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
No other keyword has the same effect as 'unsafe-hashes'.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'unsafe-hashes'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
'strict-dynamic' is properly handled for finding effective policy.: FAIL (Chrome: PASS, Safari: FAIL)
'strict-dynamic' is effective only for script-src.: FAIL (Chrome: PASS, Safari: FAIL)
'strict-dynamic' has to be allowed by required csp if it is present in returned csp.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
A nonce has to be returned if required by the embedder.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions still have to be subsumed - negative test: FAIL (Chrome: PASS, Safari: FAIL)
Nonce intersection is still done on exact match - matching nonces.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Returned CSP must specify a path.: FAIL (Chrome: PASS, Safari: FAIL)
That should not be true when required csp specifies a specific page.: FAIL (Chrome: PASS, Safari: FAIL)
Empty path is not subsumed by specified paths.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
If scheme source is present in returned csp, it must be specified in required csp too.: FAIL (Chrome: PASS, Safari: FAIL)
http: does not subsume other protocols.: FAIL (Chrome: PASS, Safari: FAIL)
https is more restrictive than http.: FAIL (Chrome: PASS, Safari: FAIL)
All scheme sources must be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - url encoded string: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - report-to present: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - html encoded string: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Sec-Required-CSP is not sent if csp attribute is not set on <iframe>.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - comma separated: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - report-uri present: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong value of csp should not trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/allow_csp_from-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Star Allow-CSP-From header enforces EmbeddingCSP.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with improper Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Allow-CSP-From header enforces EmbeddingCSP.: FAIL (Chrome: PASS, Safari: FAIL)
Cross origin iframe with an empty Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Cross origin iframe without Allow-CSP-From header gets blocked.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Effective policy is properly found where 'unsafe-eval' is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Other expressions have to be subsumed.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp must allow 'unsafe-eval'.: FAIL (Chrome: PASS, Safari: FAIL)
No other keyword has the same effect as 'unsafe-eval'.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Both required and returned csp are none for only one directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required policy that allows none does not subsume empty list of policies.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none does not subsume none of different directives.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none does not subsume none of another directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with none does not subsume a host source expression.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with effective none does not subsume none of another directive.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp with effective none does not subsume a host source expression.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Test same origin: Test no policy on first iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (bad directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (bad directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test less restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test same policy for both iframes: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test more restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test no policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: TIMEOUT)
/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-hashes.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/blocked-iframe-are-cross-origin.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-hosts.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-self.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-ports.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_hashes.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-strict_dynamic.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-paths.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-host_sources-protocols.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/allow_csp_from-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_eval.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/subsumption_algorithm-none.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d56a1333e651
[wpt PR 24311] - Implement CSPEE Blanket Enforcement logic out-of-blink, a=testonly

https://hg.mozilla.org/mozilla-central/rev/d56a1333e651

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
You need to log in before you can comment on or make changes to this bug.