Closed Bug 1662411 Opened 1 year ago Closed 1 year ago

[wpt-sync] Sync PR 25321 - Fix wildcard host matching in CSPEE subsume algorithm

Categories

(Core :: DOM: Security, task, P4)

task

Tracking

()

RESOLVED FIXED
82 Branch
Tracking Status
firefox82 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 25321 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/25321
Details from upstream follow.

b'Antonio Sartori <antoniosartori@chromium.org>' wrote:

Fix wildcard host matching in CSPEE subsume algorithm

The previous implementation returned true for *.example.com
subsumes example.com. However, since *.example.com does not match
example.com, this should not be the case. And indeed according to
2.3.3 in
https://w3c.github.io/webappsec-cspee/#subsume-source-expressions in
this case the subsume algorithm should return false.

Bug: 1086857
Change-Id: I449f72d2db0a918478fc1ba4250335ae57a4ae2d

Reviewed-on: https://chromium-review.googlesource.com/2210463
WPT-Export-Revision: 7cb604be51f9dcb1f06a4c6e41730764d20d38f8

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 15 subtests

Status Summary

Firefox

OK : 1
PASS : 8
FAIL : 7

Chrome

PASS : 13
FAIL : 1
TIMEOUT: 2

Safari

OK : 1
PASS : 8
FAIL : 7

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: TIMEOUT, Safari: OK)
Iframe with empty returned CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with less restricting CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with a different CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Host wildcard *.a.com does not match a.com: FAIL (Chrome: FAIL, Safari: FAIL)
Iframe should block if intersection allows sources which are not in required_csp.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe should block if intersection allows sources which are not in required_csp (other ordering).: FAIL (Chrome: PASS, Safari: FAIL)
Iframe should block if plugin-types directive is not subsumed.: FAIL (Chrome: PASS, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: TIMEOUT, Safari: OK)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3b5ac5b97a79
[wpt PR 25321] - Fix wildcard host matching in CSPEE subsume algorithm, a=testonly
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.