Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Description

•

3 years ago

Sync web-platform-tests PR 27304 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/27304
Details from upstream follow.

b'Antonio Sartori <antoniosartori@chromium.org>' wrote:

CSP: Allow unknown directives in csp attribute

According to the spec
https://w3c.github.io/webappsec-cspee/#csp-attribute, chrome should
accept csp attributes matching the serialized-policy ABNF grammar even
if they contain unknown directives or unknown directive values. This
is essential for ensuring forward-compatibility.

At the moment, chrome is discarding any csp attribute containing
unknown directive names or values. This CL fixes that.

Bug: 1169076,1168001
Change-Id: I5c7caeee7b92bbf9f2b3a240b5cdc10d9a87d060

Reviewed-on: https://chromium-review.googlesource.com/2642369
WPT-Export-Revision: d9013d38769ad7407ba8c2accf90038e8509e571

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Updated

•

3 years ago

Component: web-platform-tests → DOM: Security

Product: Testing → Core

Christoph Kerschbaumer [:ckerschb]

Updated

•

3 years ago

Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Updated

•

3 years ago

Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Comment 1

•

3 years ago

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=d0811e8bf496970b2253d0c4bca47cba7a3cc90b

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Comment 2

•

3 years ago

CI Results

Ran 15 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 3 tests and 70 subtests

Status Summary

Firefox

OK : 3
PASS: 42
FAIL: 55

Chrome

OK : 3
PASS: 67
FAIL: 30

Safari

OK : 3
PASS: 42
FAIL: 55

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Test same origin: Test same policy for both iframes: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test more restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test less restrictive policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test no policy on second iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test no policy on first iframe: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (bad directive name): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on first iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (bad directive name): FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Test invalid policy on second iframe (report directive): FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
Test Required-CSP value on csp change: Sec-Required-CSP is not sent if csp attribute is not set on <iframe>.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Send Sec-Required-CSP when csp attribute of <iframe> is not empty.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin redirect: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Send Sec-Required-CSP Header on change of src attribute on iframe.: FAIL (Chrome: PASS, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - gibberish csp: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - misspeled 'none': FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - query values in path: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: FAIL, Safari: FAIL)
Test same origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: FAIL, Safari: FAIL)
Test cross origin redirect of cross origin iframe: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong but allowed value of csp should still trigger sending Sec-Required-CSP Header - missing semicolon: FAIL (Chrome: FAIL, Safari: FAIL)
Test Required-CSP value on csp change: Wrong and dangerous value of csp should not trigger sending Sec-Required-CSP Header - comma separated: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong and dangerous value of csp should not trigger sending Sec-Required-CSP Header - invalid characters in directive names: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong and dangerous value of csp should not trigger sending Sec-Required-CSP Header - invalid character in directive name: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong and dangerous value of csp should not trigger sending Sec-Required-CSP Header - report-uri present: FAIL (Chrome: PASS, Safari: FAIL)
Test Required-CSP value on csp change: Wrong and dangerous value of csp should not trigger sending Sec-Required-CSP Header - report-to present: FAIL (Chrome: PASS, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

/content-security-policy/embedded-enforcement/required-csp-header-cascade.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header-crlf.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)
/content-security-policy/embedded-enforcement/required_csp-header.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt] (Chrome: OK, Safari: OK)

Web Platform Test Sync Bot (Matrix: #interop:mozilla.org)

Assignee

Updated

•

3 years ago

Depends on: 1690825

Christoph Kerschbaumer [:ckerschb]

Updated

•

3 years ago

Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]

Pulsebot

Comment 3

•

3 years ago

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/915afdc564c0
[wpt PR 27304] - CSP: Allow unknown directives in csp attribute, a=testonly

Dorel Luca [:dluca]

Comment 4

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/915afdc564c0

Status: NEW → RESOLVED

Closed: 3 years ago

status-firefox87: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 87 Branch

Bugzilla

Quick Search

[wpt-sync] Sync PR 27304 - CSP: Allow unknown directives in csp attribute

Categories

(Core :: DOM: Security, task, P4)

Tracking

()

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Comment 1

Comment 2

CI Results

Status Summary

Firefox

Chrome

Safari

Links

Details

New Tests That Don't Pass

Tests Disabled in Gecko Infrastructure

Updated

Updated

Comment 3

Comment 4