Closed Bug 1662412 Opened 5 years ago Closed 5 years ago

[wpt-sync] Sync PR 25322 - Fix CSP source list intersection for CSPEE in blink

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox82 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 25322 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/25322
Details from upstream follow.

b'Antonio Sartori <antoniosartori@chromium.org>' wrote:

Fix CSP source list intersection for CSPEE in blink

As explained in https://github.com/w3c/webappsec-cspee/pull/18,
Content-Security-Policy: Embedded Enforcement source list intersection
algorithm sometimes computes a wrong intersection of two lists of
source expressions.

Additionally, blink CSPEE source intersection algorithm was computing
a wrong intersection for http://.com and http://.example.com.

We fix those problems and add a unit test and WP tests.

Change-Id: Ie7b85d8c7e978af6b5e87141d257c66e5556be95
Reviewed-on: https://chromium-review.googlesource.com/2385458
WPT-Export-Revision: 85aa30414d5a800085529cd121bc81d623f46e01

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]

CI Results

Ran 0 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 11 subtests

Status Summary

Firefox

OK : 1
PASS : 6
FAIL : 5

Chrome

PASS : 10
TIMEOUT: 2

Safari

OK : 1
PASS : 6
FAIL : 5

Links

GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
Iframe with empty returned CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with less restricting CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe with a different CSP should be blocked.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe should block if intersection allows sources which are not in required_csp.: FAIL (Chrome: PASS, Safari: FAIL)
Iframe should block if intersection allows sources which are not in required_csp (other ordering).: FAIL (Chrome: PASS, Safari: FAIL)

Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1bc560f22f12 [wpt PR 25322] - Fix CSP source list intersection for CSPEE in blink, a=testonly

https://hg.mozilla.org/mozilla-central/rev/1bc560f22f12

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox82: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.