Closed Bug 1705341 Opened 3 years ago Closed 3 years ago

[wpt-sync] Sync PR 28502 - CSP: Move form-action check to the browser

Categories

(Core :: DOM: Security, task, P4)

task

Tracking

()

RESOLVED FIXED
90 Branch
Tracking Status
firefox90 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 28502 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/28502
Details from upstream follow.

b'Antonio Sartori <antoniosartori@chromium.org>' wrote:

CSP: Move form-action check to the browser

The Content Security Policy check for 'form-action' is a navigational
check, that we perform at the moment half in Blink (for the initial
URL) and half in the Browser (for redirects). The Browser part is
currently implemented in a navigational throttle and is not using the
correct policies and context.

Thanks to the PolicyContainerHost, this CL simplifies the check in the
Browser by removing the FormSubmissionThrottle and moving the check to
the NavigationRequest, in the same place where other navigational
checks are performed. At the same time, it removes the check from
Blink relying to the Browser check also for the initial request URL.

Change-Id: I28be978be3c86f1d8ad8b41398542c4e735758e3
Bug: 694525,663512,700964,1172898,1021462,713388
Reviewed-on: https://chromium-review.googlesource.com/2797339
WPT-Export-Revision: 76099d131c2a742bd3df640eac2e1718ae16938f

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]

CI Results

Ran 15 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 2 subtests

Status Summary

Firefox

OK : 1
FAIL: 2

Chrome

OK : 1
FAIL: 1

Safari

OK : 1
FAIL: 2

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/form-action/form-action-src-redirect-blocked.sub.html
Expecting logs: ["violated-directive=form-action","blocked-uri=http://web-platform.test:8000/common/redirect.py?location=http://www1.web-platform.test:8000/content-security-policy/support/postmessage-fail.html","TEST COMPLETE"]: FAIL (Chrome: FAIL, Safari: FAIL)
form-action-src-redirect-blocked: FAIL (Safari: FAIL)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ccffb5bf1916
[wpt PR 28502] - CSP: Move form-action check to the browser, a=testonly
https://hg.mozilla.org/integration/autoland/rev/ce1229011dcd
[wpt PR 28502] - Update wpt metadata, a=testonly
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.