Closed Bug 1748992 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 32287 - Do not skip SRI even if integrity attribute is cleared later

Categories

(Testing :: web-platform-tests, task, P4)

Product:
Testing
Component:
web-platform-tests
Type:
task

Tracking

(firefox100 fixed)

Status:
RESOLVED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox100 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 32287 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/32287
Details from upstream follow.

Hiroshige Hayashizaki <hiroshige@chromium.org> wrote:

Do not skip SRI even if integrity attribute is cleared later

According to the HTML spec, the integrity attribute of script
elements are used in #prepare-a-script, and thus the changes
to the integrity attribute after #prepare-a-script shouldn't be
reflected.
However, if the integrity attribute is cleared after
#prepare-a-script, SRI check is skipped, because whether
the integrity attribute is empty is checked on script load finish.

This CL replaces the integrity attribute check with
ScriptFetchOptions' integrity metadata check.
The latter always reflect the integrity metadata set at
#prepare-a-script, and integrity attribute is no longer checked
after #prepare-a-script.

Bug: 686281
Change-Id: Ie31facd58bc3cdc3dd8056694b6da0d043c392c8
Reviewed-on: https://chromium-review.googlesource.com/1180823
WPT-Export-Revision: 1f31064bd5b526ff81fd4ed8611d6357cd0654a2

CI Results

Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 2 tests and 46 subtests

Status Summary

Firefox

OK : 2
PASS: 90
FAIL: 21

Chrome

OK : 2
PASS: 104
FAIL: 7

Safari

OK : 2
PASS: 84
FAIL: 27

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/preload/subresource-integrity.html
Same-origin script with incorrect hash.: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin script with sha256 match, sha512 mismatch: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> script with incorrect hash, ACAO: *: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='use-credentials'> script with incorrect hash CORS-eligible: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> script with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin script, not CORS request, with correct hash: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin script, not CORS request, with hash mismatch: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin style with incorrect hash.: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin style with sha256 match, sha512 mismatch: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> style with incorrect hash, ACAO: *: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='use-credentials'> style with incorrect hash CORS-eligible: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> style with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin style, not CORS request, with correct hash: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin style, not CORS request, with hash mismatch: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin image with incorrect hash.: FAIL (Chrome: FAIL, Safari: FAIL)
Same-origin image with sha256 match, sha512 mismatch: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='anonymous'> image with incorrect hash, ACAO: *: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='use-credentials'> image with incorrect hash CORS-eligible: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='anonymous'> image with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin image, not CORS request, with correct hash: FAIL (Chrome: FAIL, Safari: FAIL)
Cross-origin image, not CORS request, with hash mismatch: FAIL (Chrome: FAIL, Safari: FAIL)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/130688534631
[wpt PR 32287] - Do not skip SRI even if integrity attribute is cleared later, a=testonly

https://hg.mozilla.org/mozilla-central/rev/130688534631

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox100: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
You need to log in before you can comment on or make changes to this bug.