1936058 - Add WPT invalidation test for the require-trusted-types-for CSP directive

Status: RESOLVED FIXED

(Core :: DOM: Security, task)

Description

[Frédéric Wang (:fredw)]

In bug 1909168, we are basically caching whether a document / CSP policy list contains at least one require-trusted-types-for-csp directive.

Mirko pointed out that we likely need invalidation tests for that optimization if someone dynamically modifies the CSP list so that it ends up including or not a require-trusted-types-for-csp directive. I don't really know when/if that can happen (e.g. perhaps by modifying the meta tags) but agree this is definitely something to double check. Perhaps also for workers if we end up needing a similar optimization (I'll explain on bug 1936014).

Comment 1

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

I don't really know when/if that can happen (e.g. perhaps by modifying the meta tags)

Yes. A test adding CSP, like https://jsbin.com/fuwuremuse/1/edit?html,output is needed. Analogously another test which removes the CSP.

Comment 2

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

Another scenario potentially needing tests: two CSPs, one "Content-Security-Policy" and one "Content-Security-Policy-Report-Only" and the different combinations of adding/removing them.

Comment 3

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

Attachment: Bug 1936058: add WPT for checking removing the meta tag of a "require-trusted-types-for 'script'" directive continues requiring trusted types. r=smaug

Codepaths for "trusted-types somePolicyName" [1] are likely the same, so
adding no tests for that.

[1] https://www.w3.org/TR/trusted-types/#trusted-types-csp-directive

Comment 4

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #2)

Another scenario potentially needing tests: two CSPs, one "Content-Security-Policy" and one "Content-Security-Policy-Report-Only" and the different combinations of adding/removing them.

More specifically, two directives for one document were meant. Such a test seems unnecessary, because only "require-trusted-types-for 'script'" directives are relevant here. So the relevant code-path is the one for such a directive, for which already tests exist.

Comment 5

[Pulsebot]

Pushed by mbrodesser@igalia.com:
https://hg.mozilla.org/integration/autoland/rev/8f2d558f4720
add WPT for checking removing the meta tag of a "require-trusted-types-for 'script'" directive continues requiring trusted types. r=smaug

Comment 6

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/49705 for changes under testing/web-platform/tests

Comment 7

[agoloman]

https://hg.mozilla.org/mozilla-central/rev/8f2d558f4720

Comment 8

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot