Closed Bug 1712690 Opened 4 years ago Closed 1 year ago

Update SecurityPolicyViolationEvent WebIDL

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 88
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox125 --- fixed

People

(Reporter: zyscoder, Assigned: tschuster)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file, 1 obsolete file)

Bug 1712690 - Update the SecurityPolicyViolationEvent WebIDL. r?#webidl,#dom-core
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Steps to reproduce:

(1) Open a tab and navigate to any URL;
(2) Run the following code in the Console of Devtools:

new SecurityPolicyViolationEvent('', {});

(3) Then this code would be evaluated successfully without throwing any exception.

Actual results:

This code is evaluated successfully without throwing any exception.

Expected results:

As https://docs.w3cub.com/dom/securitypolicyviolationevent/securitypolicyviolationevent says, "eventInitDict is a dictionary object containing information about the properties of the SecurityPolicyViolationEvent to be constructed. This can include the following properties, but bear in mind that if you do include an eventInitDict, certain properties must be included (marked below with required, like disposition)."
That means the code above should throw an exception since the required members are undefined, just like what the Chrome would throw: Uncaught TypeError: Failed to construct 'SecurityPolicyViolationEvent': required member disposition is undefined.

The Bugbug bot thinks this bug should belong to the 'DevTools::Console' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Console
Product: Firefox → DevTools

This isn't a DevTools issue, you can see the constructor not throwing with:
data:text/html,<meta charset=utf8><script>try { new SecurityPolicyViolationEvent('', {}); alert("ok") } catch(e) { alert("error") }</script>

Component: Console → DOM: Core & HTML
Product: DevTools → Core
Component: DOM: Core & HTML → DOM: Security

This needs to block Bug 1231788, but we gotta have to put it in the backlog for now. Thanks for reporting though!

Blocks: csp-w3c-3
Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

I didn't change any of the DOMString instances to USVString.

Assignee: nobody → tschuster
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9367911 - Attachment description: Bug 1712690 - Update the SecurityPolicyViolationEvent WebIDL. r?#webidl → Bug 1712690 - Update the SecurityPolicyViolationEvent WebIDL. r?#webidl,#dom-core

The WebIDL in the spec is problematic and will likely be changed to something that is closer to ours.

See Also: → https://github.com/w3c/webappsec-csp/issues/631

The WebIDL was just updated and now almost matches our IDL. https://github.com/w3c/webappsec-csp/pull/645

Summary: SecurityPolicyViolationEvent.constructor do not throw any exception as expected when eventInitDict param do not include all the members required → Update SecurityPolicyViolationEvent WebIDL
Attachment #9367911 - Attachment is obsolete: true
Depends on: 1881014

Implements the changes from https://github.com/w3c/webappsec-csp/pull/645

(This still does not include changing DOMString to USVString)

Blocks: 1882999
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0b0b033136dc Update the SecurityPolicyViolationEvent WebIDL. r=webidl,dom-core,peterv

https://hg.mozilla.org/mozilla-central/rev/0b0b033136dc

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox125: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: