Closed Bug 1705889 Opened 5 years ago Closed 5 years ago

[wpt-sync] Sync PR 28560 - Remove IsSecure check from ExecutionContextCSPDelegate:GetStatusCode()

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox90 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream][domsecurity-backlog])

Sync web-platform-tests PR 28560 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/28560
Details from upstream follow.

b'Fr\xc3\xa9d\xc3\xa9ric Wang <fwang@igalia.com>' wrote:

Remove IsSecure check from ExecutionContextCSPDelegate:GetStatusCode()

ExecutionContextCSPDelegate::GetStatusCode() is currently only used in
GatherSecurityPolicyViolationEventData to initialize a violation
event. It returns the status code of the associated resource unless
that resource is considered secure by SecurityOrigin::IsSecure().
However:

  • SecurityOrigin::IsSecure() is an internal implementation that does
    not correspond to any spec definition. It is deprecated in favor
    of network::IsOriginPotentiallyTrustworthy() corresponding to [1]
    and is expected to be removed.

  • The CSP spec does not describe any rule on "secure context" or
    similar to decide whether to set the status code. Instead, as long
    as a violation is created, it is supposed to have the status code
    of the resource set [2] [3] [4].

This CL removes the SecurityOrigin::IsSecure() and
follows the spec to set the status code unconditionally. This
change is covered by existing tests reporting-observer/csp.php and
eval-blocked-and-sends-report.php (for localhost pages) and other
WPT tests (for https pages). It is considered a bug fix
that does not need to follow the intent to ship procedure.

[1] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[2] https://w3c.github.io/webappsec-csp/#violation-status
[3] https://w3c.github.io/webappsec-csp/#ref-for-violation-status
[4] https://w3c.github.io/webappsec-csp/#report-violation

Bug: 1153336
Change-Id: Ia6f36f75558aa6d22a2f69d8488df1a5e5e82daa

Reviewed-on: https://chromium-review.googlesource.com/2831540
WPT-Export-Revision: db1da40cc3148518b919ba4468ebb5dc1cf7a1ea

Component: web-platform-tests → DOM: Security
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Whiteboard: [wptsync downstream][domsecurity-backlog] → [wptsync downstream]

CI Results

Ran 15 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 3 tests and 4 subtests

Status Summary

Firefox

PASS : 4[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-32-debug, Gecko-windows10-32-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt] 6[GitHub]
FAIL : 2[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-32-debug, Gecko-windows10-32-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt] 3[GitHub]
TIMEOUT: 4[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-32-debug, Gecko-windows10-32-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt] 6[GitHub]

Chrome

OK : 3
PASS : 9
FAIL : 3

Safari

PASS : 3
FAIL : 6
TIMEOUT: 6

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html: SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-32-debug, Gecko-windows10-32-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt], TIMEOUT [GitHub] (Chrome: OK, Safari: TIMEOUT)
Report is observable to ReportingObserver: TIMEOUT (Chrome: FAIL, Safari: FAIL)
Violation report status OK.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
Report is observable to ReportingObserver: TIMEOUT (Chrome: FAIL, Safari: FAIL)
Violation report status OK.: FAIL (Chrome: PASS, Safari: FAIL)
/reporting/path-absolute-endpoint.https.sub.html: TIMEOUT (Chrome: OK, Safari: TIMEOUT)
Report is observable to ReportingObserver: TIMEOUT (Chrome: FAIL, Safari: FAIL)
Reporting endpoints received reports.: FAIL (Chrome: PASS, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation.https.sub.html: SKIP [Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-opt, Gecko-windows10-32-debug, Gecko-windows10-32-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt], TIMEOUT [GitHub] (Chrome: OK, Safari: TIMEOUT)

Whiteboard: [wptsync downstream] → [wptsync downstream][domsecurity-backlog]
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a6f4bd85ec7e [wpt PR 28560] - Remove IsSecure check from ExecutionContextCSPDelegate:GetStatusCode(), a=testonly

https://hg.mozilla.org/mozilla-central/rev/a6f4bd85ec7e

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox90: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.