Closed Bug 1655413 Opened 4 years ago Closed 4 years ago

[wpt-sync] Sync PR 24763 - Make CSP default-src without 'unsafe-eval' block eval in iframes

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox81 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 24763 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/24763
Details from upstream follow.

Antonio Sartori <antoniosartori@chromium.org> wrote:

Make CSP default-src without 'unsafe-eval' block eval in iframes

This CL fixes the fallback behaviour of the Content Security Policy
script-src to default-src with regards to blocking eval in iframes
and, under certain conditions, when navigating to a new page.

Bug: 1107824
Change-Id: Ia5cbe82188fde25cec8ccb5a09322e598a419434
Reviewed-on: https://chromium-review.googlesource.com/2316105
WPT-Export-Revision: 7117f96d3008ea7bba155fe6a93c90daf6a5c37f

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

CI Results

Ran 7 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 2 subtests

Status Summary

Firefox

OK : 1
PASS: 2

Chrome

OK : 1
PASS: 1
FAIL: 1

Safari

OK : 1
PASS: 2

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f5e2940cdea [wpt PR 24763] - Make CSP default-src without 'unsafe-eval' block eval in iframes, a=testonly
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/26b1731b6322 [wpt PR 24763] - Make CSP default-src without 'unsafe-eval' block eval in iframes, a=testonly

https://hg.mozilla.org/mozilla-central/rev/26b1731b6322

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.