[wpt-sync] Sync PR 24890 - Send CSP frame-ancestors violations also when XFO is present
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox81 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 24890 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/24890
Details from upstream follow.
Antonio Sartori <antoniosartori@chromium.org> wrote:
Send CSP frame-ancestors violations also when XFO is present
If a Content-Security-Policy frame-ancestors directive is enforced,
then the X-Frame-Options header is ignored. However, if the
frame-ancestors directive is report-only, the X-Frame-Options header
is checked and the frame possibly blocked. However, in this second
case, we must still check whether we have to send a
Content-Security-Policy violation report.Bug: 1097078
Change-Id: I9768a3859184ac1d35bd938f45cc40e111e2af4b
Reviewed-on: https://chromium-review.googlesource.com/2339115
WPT-Export-Revision: 2914ce5576c434d94a81b1cc0b23903f22aac390
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
CI Results
Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 2 tests and 1 subtests
Status Summary
Firefox
OK : 2
PASS: 2
FAIL: 2
Chrome
OK : 2
PASS: 1
FAIL: 1
Safari
OK : 2
PASS: 1
FAIL: 1
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
Firefox-only Failures
/content-security-policy/reporting/report-frame-ancestors.sub.html
Violation report status OK.: FAIL [Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, GitHub], PASS [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]
New Tests That Don't Pass
/content-security-policy/reporting/report-frame-ancestors.sub.html
Violation report status OK.: FAIL [Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, GitHub], PASS [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: PASS, Safari: PASS)
/content-security-policy/reporting/report-frame-ancestors-with-x-frame-options.sub.html
Violation report status OK.: FAIL [Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, GitHub], PASS [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: FAIL, Safari: FAIL)
|
||
Updated•5 years ago
|
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/89eb20d278cf
https://hg.mozilla.org/mozilla-central/rev/c6c8127e291c
Description
•