[wpt-sync] Sync PR 30914 - [CSP] Fix dedicated worker inheritance
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
Tracking | Status | |
---|---|---|
firefox95 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 30914 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/30914
Details from upstream follow.
Antonio Sartori <antoniosartori@chromium.org> wrote:
[CSP] Fix dedicated worker inheritance
Dedicated workers should populate their Content Security Policy from
parsing their response headers. In chrome, they instead used to inherit
CSP from the creator document. This CL fixes that.Note that workers with local schemes (data, blob, filesystem) still
inherit CSP from the creator context.Intent to ship:
https://groups.google.com/a/chromium.org/g/blink-dev/c/sH75Nkx_OZ0Relevant algorithm in the specification:
https://html.spec.whatwg.org/#initialize-worker-policy-containerBug: 1012640,1253267
Change-Id: I2630bf1ba9425114758d805d5e0b8a3664cbd906
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168339
Reviewed-by: Mike West \<mkwst@chromium.org>
Reviewed-by: Carlos IL \<carlosil@chromium.org>
Reviewed-by: Hiroshige Hayashizaki \<hiroshige@chromium.org>
Commit-Queue: Carlos IL \<carlosil@chromium.org>
Cr-Commit-Position: refs/heads/main@{#931337}
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=be29323f17edf97299ba76873b64a1b6995c1bdf
Assignee | ||
Comment 2•3 years ago
|
||
CI Results
Ran 11 Firefox configurations based on mozilla-central, and Firefox, and Chrome on GitHub CI
Total 38 tests and 9 subtests
Status Summary
Firefox
OK : 37
PASS : 133
FAIL : 66
TIMEOUT: 3
NOTRUN : 3
Chrome
OK : 38
PASS : 163
FAIL : 51
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/content-security-policy/inside-worker/dedicatedworker-connect-src.html
Reports match in http: with connect-src 'self': FAIL (Chrome: FAIL)
Reports match in blob: with connect-src 'self': FAIL (Chrome: PASS)
/content-security-policy/inside-worker/dedicatedworker-script-src.html: TIMEOUT (Chrome: OK)
dedicatedworker-script-src: TIMEOUT (Chrome: PASS)
Reports are sent for http: with script-src 'self': FAIL (Chrome: FAIL)
Cross-origin importScripts()
blocked in blob: with script-src 'self': TIMEOUT (Chrome: PASS)
eval()
blocked in blob: with script-src 'self': NOTRUN (Chrome: PASS)
setTimeout([string])
blocked in blob: with script-src 'self': NOTRUN (Chrome: PASS)
Reports are sent for blob: with script-src 'self': NOTRUN (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html
Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html
Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html
Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html
Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html
Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html
Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html
Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html
Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html
Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html
Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/fetch.https.html
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/websocket.https.html
Upgrade-Insecure-Requests: Expects allowed for websocket to cross-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for websocket to same-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-classic.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-module.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/xhr.https.html
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/fetch.https.html
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/websocket.https.html
Upgrade-Insecure-Requests: Expects allowed for websocket to cross-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for websocket to same-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-classic.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-module.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/xhr.https.html
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/workers/modules/dedicated-worker-import-csp.html
worker-src * directive should allow cross origin static import.: FAIL (Chrome: PASS)
script-src * directive should allow cross origin static import.: FAIL (Chrome: PASS)
worker-src * directive should override script-src 'self' directive and allow cross origin static import.: FAIL (Chrome: PASS)
script-src * directive should allow cross origin dynamic import.: FAIL (Chrome: PASS)
worker-src 'self' directive should not take effect on dynamic import.: FAIL (Chrome: PASS)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ff46c7575f48 [wpt PR 30914] - [CSP] Fix dedicated worker inheritance, a=testonly https://hg.mozilla.org/integration/autoland/rev/a210fa430f83 [wpt PR 30914] - Update wpt metadata, a=testonly
Comment 4•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ff46c7575f48
https://hg.mozilla.org/mozilla-central/rev/a210fa430f83
Description
•