Closed Bug 1937764 Opened 1 year ago Closed 1 year ago

Check WPT <content-security-policy/securitypolicyviolation/source-file.html>

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1944479

People

(Reporter: mbrodesser, Unassigned)

References

(Blocks 2 open bugs)

Details

Blocks: 1939805

https://searchfox.org/mozilla-central/source/testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file.html

First the tests has at least two issues (similar to other TT report tests):

  • assert_unreached() shouldn't be called in a try statement, otherwise the thrown assertion is just caught rather than reported.
  • document.addEventListener() should be called before the statement causing the violation (here eval(trusted_script)) otherwise there could be a flaky failure/timeout with the violation not caught.

I tried something as below, but the sourceFile in the violation remains http://web-platform.test:8000/content-security-policy/securitypolicyviolation/source-file.html not the one specified by # sourceURL=${input}. I guess this has something to do with source map, see https://tc39.es/ecma426/#linking-eval ; not sure if we need something specific in our TrustedType code to make it work.

const testSourceFile = (description, input, output) => {
  promise_test(async test => {
    let violation = new Promise(resolve => {
      // Listen for TrustedType violation.
      document.addEventListener("securitypolicyviolation", e => {
        resolve(e);
      }, {once: true});
      // A trusted script using a customized sourceURL. The script's execution
      // itself will trigger a TrustedType violation.
      const trusted_script = policy.createScript(`
        eval('');
        //# sourceURL=${input}
      `)
      assert_throws_js(EvalError, _ => eval(trusted_script));
    });
    assert_equals((await violation).sourceFile, output);
  }, description);
};

(In reply to Frédéric Wang (:fredw) from comment #1)

document.addEventListener() should be called before the statement causing the violation (here eval(trusted_script)) otherwise there could be a flaky failure/timeout with the violation not caught.

actually this one is probably fine since the function passed to the new Promise constructor is executed immediately.

I'm closing this is as a duplicate of bug 1944479.

My understanding is that this is a Source Map and/or CSP bug, but actually not specific to trusted types.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1944479
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.