Investigate why WPT <to-javascript-url-script-src.html> times out for Gecko (SecurityPolicyViolationEvent target is an iframe in other browsers)
Categories
(Core :: DOM: Security, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox134 | --- | fixed |
People
(Reporter: mbrodesser-Igalia, Assigned: mbrodesser-Igalia)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog], [wptsync upstream])
Attachments
(1 file)
|
||
Comment 1•2 months ago
|
||
No need to jump to a fix, but it would be nice to do an early investigation why this isn't passing
|
|
||
Updated•2 months ago
|
|
Assignee | |
Comment 2•2 months ago
|
||
It times out because e.target at [1] isn't the iframe element, but the outer document.
According to the spec [2] the violation's element is null. Later in the spec [3] in step 3.2 that results in a target of null. Which, in the same step is replaced by the global object, or, if the latter is a Window, by the windows' document.
Presumably the latter happens in Gecko.
The test passes in Chrome, so there the global object should be the iframe.
So it needs to be figured out which global is the correct one to use in step 3.1.1.3 of [2].
[1] https://searchfox.org/mozilla-central/rev/26a98a7ba56f315df146512c43449412f0592942/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html#13
[2] https://w3c.github.io/webappsec-csp/#should-block-navigation-request
[3] https://w3c.github.io/webappsec-csp/#report-violation
|
|
Assignee | |
Comment 3•2 months ago
|
||
Seems to be related to https://github.com/whatwg/html/issues/4651#issue-447334382:
so there is only one sane global to use around. But for location.href sets or modifications of the src attribute of <iframe>, it should be observable which global's CSP gets used here.
|
|
Assignee | |
Comment 4•2 months ago
|
||
The test passes in Chrome and all other major browsers [1].
In the spec, the violation's element, i.e. in the test the iframe element [2], could be passed to [3] invoked by step 5 of [4] by passing the navigable's container [5] if that is an iframe element.
[1] https://wpt.fyi/results/content-security-policy/navigation/to-javascript-url-script-src.html?label=master&label=experimental&aligned&q=to-javascript-url-script-src.html
[2] https://searchfox.org/mozilla-central/rev/26a98a7ba56f315df146512c43449412f0592942/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html#39
[3] https://w3c.github.io/webappsec-csp/#should-block-navigation-request
[4] https://html.spec.whatwg.org/#navigate-to-a-javascript:-url
[5] https://html.spec.whatwg.org/#nav-container
|
||
Comment 5•2 months ago
|
||
It would be good to get this properly specified and fixed. I think from an user's perspective using the iframe as the target makes sense?
|
|
||
Updated•2 months ago
|
|
|
Assignee | |
Comment 6•2 months ago
|
||
(In reply to Tom Schuster (MoCo) from comment #5)
It would be good to get this properly specified and fixed. I think from an user's perspective using the iframe as the target makes sense?
Yes.
Currently trying to figure out how to get the iframe element in https://searchfox.org/mozilla-central/rev/1e8cec3727d6e09f4af41bb3d202b7a4c326ed84/dom/jsurl/nsJSProtocolHandler.cpp#171.
|
|
Assignee | |
Comment 7•23 days ago
|
||
(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #2)
It times out because
e.targetat [1] isn't the iframe element, but the outer document.According to the spec [2] the violation's element is null. Later in the spec [3] in step 3.2 that results in a target of null. Which, in the same step is replaced by the global object, or, if the latter is a Window, by the windows' document.
Presumably the latter happens in Gecko.
Confirming the presumption.
|
|
Assignee | |
Updated•23 days ago
|
|
|
Assignee | |
Updated•18 days ago
|
|
|
Assignee | |
Comment 8•18 days ago
|
||
Gecko doesn't set the securitypolicyevent violation's target element,
which prevented the async tests from passing with Gecko.
Setting the violation's target element isn't specified (
https://github.com/w3c/webappsec-csp/issues/687).
Promise-based tests allow removing checking the target element, because
the tests are run in sequence
(https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests).
|
||
Comment 11•16 days ago
|
||
| bugherder | ||
Description
•