1655413 - [wpt-sync] Sync PR 24763 - Make CSP default-src without 'unsafe-eval' block eval in iframes

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P4)

Description

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 24763 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/24763
Details from upstream follow.

Antonio Sartori <antoniosartori@chromium.org> wrote:

Make CSP default-src without 'unsafe-eval' block eval in iframes

This CL fixes the fallback behaviour of the Content Security Policy
script-src to default-src with regards to blocking eval in iframes
and, under certain conditions, when navigating to a new page.

Bug: 1107824
Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434
Reviewed-on: https://chromium-review.googlesource.com/2316105
WPT-Export-Revision: 7117f96d3008ea7bba155fe6a93c90daf6a5c37f

Comment 1

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=155b7b1556c2a7009a14efd5cb952d71d5d78ab3

Comment 2

[Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)]

CI Results

Ran 7 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 2 subtests

Status Summary

Firefox

OK : 1
PASS: 2

Chrome

OK : 1
PASS: 1
FAIL: 1

Safari

OK : 1
PASS: 2

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f5e2940cdea
[wpt PR 24763] - Make CSP default-src without 'unsafe-eval' block eval in iframes, a=testonly

Comment 4

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/26b1731b6322
[wpt PR 24763] - Make CSP default-src without 'unsafe-eval' block eval in iframes, a=testonly

Comment 5

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/26b1731b6322