[wpt-sync] Sync PR 28502 - CSP: Move form-action check to the browser
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
Tracking | Status | |
---|---|---|
firefox90 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 28502 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/28502
Details from upstream follow.
b'Antonio Sartori <antoniosartori@chromium.org>' wrote:
CSP: Move form-action check to the browser
The Content Security Policy check for 'form-action' is a navigational
check, that we perform at the moment half in Blink (for the initial
URL) and half in the Browser (for redirects). The Browser part is
currently implemented in a navigational throttle and is not using the
correct policies and context.Thanks to the PolicyContainerHost, this CL simplifies the check in the
Browser by removing the FormSubmissionThrottle and moving the check to
the NavigationRequest, in the same place where other navigational
checks are performed. At the same time, it removes the check from
Blink relying to the Browser check also for the initial request URL.Change-Id: I28be978be3c86f1d8ad8b41398542c4e735758e3
Bug: 694525,663512,700964,1172898,1021462,713388
Reviewed-on: https://chromium-review.googlesource.com/2797339
WPT-Export-Revision: 76099d131c2a742bd3df640eac2e1718ae16938f
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=925200d0595580be7b45b3c730fc992e793fd347
Assignee | ||
Comment 2•3 years ago
|
||
CI Results
Ran 15 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 1 tests and 2 subtests
Status Summary
Firefox
OK : 1
FAIL: 2
Chrome
OK : 1
FAIL: 1
Safari
OK : 1
FAIL: 2
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html
Expecting logs: ["violated-directive=form-action","blocked-uri=http://web-platform.test:8000/common/redirect.py?location=http://www1.web-platform.test:8000/content-security-policy/support/postmessage-fail.html","TEST COMPLETE"]: FAIL (Chrome: FAIL, Safari: FAIL)
form-action-src-redirect-blocked: FAIL (Safari: FAIL)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ccffb5bf1916 [wpt PR 28502] - CSP: Move form-action check to the browser, a=testonly https://hg.mozilla.org/integration/autoland/rev/ce1229011dcd [wpt PR 28502] - Update wpt metadata, a=testonly
Comment 4•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ccffb5bf1916
https://hg.mozilla.org/mozilla-central/rev/ce1229011dcd
Description
•