Closed Bug 1735696 Opened 3 years ago Closed 3 years ago

[wpt-sync] Sync PR 30914 - [CSP] Fix dedicated worker inheritance

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox95 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 30914 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/30914
Details from upstream follow.

Antonio Sartori <antoniosartori@chromium.org> wrote:

[CSP] Fix dedicated worker inheritance

Dedicated workers should populate their Content Security Policy from
parsing their response headers. In chrome, they instead used to inherit
CSP from the creator document. This CL fixes that.

Note that workers with local schemes (data, blob, filesystem) still
inherit CSP from the creator context.

Intent to ship:
https://groups.google.com/a/chromium.org/g/blink-dev/c/sH75Nkx_OZ0

Relevant algorithm in the specification:
https://html.spec.whatwg.org/#initialize-worker-policy-container

Bug: 1012640,1253267
Change-Id: I2630bf1ba9425114758d805d5e0b8a3664cbd906
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168339
Reviewed-by: Mike West \<mkwst@chromium.org>
Reviewed-by: Carlos IL \<carlosil@chromium.org>
Reviewed-by: Hiroshige Hayashizaki \<hiroshige@chromium.org>
Commit-Queue: Carlos IL \<carlosil@chromium.org>
Cr-Commit-Position: refs/heads/main@{#931337}

Component: web-platform-tests → DOM: Security
Product: Testing → Core

CI Results

Ran 11 Firefox configurations based on mozilla-central, and Firefox, and Chrome on GitHub CI

Total 38 tests and 9 subtests

Status Summary

Firefox

OK : 37
PASS : 133
FAIL : 66
TIMEOUT: 3
NOTRUN : 3

Chrome

OK : 38
PASS : 163
FAIL : 51

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/content-security-policy/inside-worker/dedicatedworker-connect-src.html
Reports match in http: with connect-src 'self': FAIL (Chrome: FAIL)
Reports match in blob: with connect-src 'self': FAIL (Chrome: PASS)
/content-security-policy/inside-worker/dedicatedworker-script-src.html: TIMEOUT (Chrome: OK)
dedicatedworker-script-src: TIMEOUT (Chrome: PASS)
Reports are sent for http: with script-src 'self': FAIL (Chrome: FAIL)
Cross-origin importScripts() blocked in blob: with script-src 'self': TIMEOUT (Chrome: PASS)
eval() blocked in blob: with script-src 'self': NOTRUN (Chrome: PASS)
setTimeout([string]) blocked in blob: with script-src 'self': NOTRUN (Chrome: PASS)
Reports are sent for blob: with script-src 'self': NOTRUN (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/fetch.https.html
Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/websocket.https.html
Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/worker-classic.https.html
Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/worker-module.https.html
Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/opt-in/xhr.https.html
Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/fetch.https.html
Mixed-Content: Expects allowed for fetch to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for fetch to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/websocket.https.html
Mixed-Content: Expects allowed for websocket to same-wss origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/worker-classic.https.html
Mixed-Content: Expects allowed for worker-classic to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-classic to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/worker-module.https.html
Mixed-Content: Expects allowed for worker-module to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for worker-module to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/mixed-content/gen/worker-module.http-rp/unset/xhr.https.html
Mixed-Content: Expects allowed for xhr to same-https origin and keep-scheme redirection from https context.: FAIL (Chrome: PASS)
Mixed-Content: Expects allowed for xhr to same-https origin and no-redirect redirection from https context.: FAIL (Chrome: PASS)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/fetch.https.html
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/websocket.https.html
Upgrade-Insecure-Requests: Expects allowed for websocket to cross-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for websocket to same-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-classic.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/worker-module.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-classic.http-rp/upgrade/xhr.https.html
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/fetch.https.html
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/websocket.https.html
Upgrade-Insecure-Requests: Expects allowed for websocket to cross-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for websocket to same-ws-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-classic.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/worker-module.https.html
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/upgrade-insecure-requests/gen/worker-module.http-rp/upgrade/xhr.https.html
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.: FAIL (Chrome: FAIL)
Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.: FAIL (Chrome: FAIL)
/workers/modules/dedicated-worker-import-csp.html
worker-src * directive should allow cross origin static import.: FAIL (Chrome: PASS)
script-src * directive should allow cross origin static import.: FAIL (Chrome: PASS)
worker-src * directive should override script-src 'self' directive and allow cross origin static import.: FAIL (Chrome: PASS)
script-src * directive should allow cross origin dynamic import.: FAIL (Chrome: PASS)
worker-src 'self' directive should not take effect on dynamic import.: FAIL (Chrome: PASS)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ff46c7575f48
[wpt PR 30914] - [CSP] Fix dedicated worker inheritance, a=testonly
https://hg.mozilla.org/integration/autoland/rev/a210fa430f83
[wpt PR 30914] - Update wpt metadata, a=testonly

https://hg.mozilla.org/mozilla-central/rev/ff46c7575f48
https://hg.mozilla.org/mozilla-central/rev/a210fa430f83

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.