Closed Bug 1948042 Opened 11 days ago Closed 6 days ago

[wpt-sync] Sync PR 50681 - require-sri-for: 'script'

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
firefox137 --- fixed

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 50681 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/50681
Details from upstream follow.

Yoav Weiss <yoavweiss@chromium.org> wrote:

require-sri-for: 'script'

require-sri-for would enable documents to enforce SRI on all resources
they load (of a certain type). This CL revives a previous attempt [1]
at this that ended up being removed. It only adds the 'script' part of
it, as this has a clear use case [2].

Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ

Spec PR: https://github.com/w3c/webappsec-subresource-integrity/pull/129

[1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260
[2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0

Change-Id: I66acc12b073174cb33cf594b714e803e24656d27
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633
Reviewed-by: Antonio Sartori \<antoniosartori@chromium.org>
Commit-Queue: Yoav Weiss (@Shopify) \<yoavweiss@chromium.org>
Reviewed-by: Arthur Sonzogni \<arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1419883}

Component: web-platform-tests → DOM: Security
Product: Testing → Core

CI Results

Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 17 tests and 1 subtests

Status Summary

Firefox

OK : 15
PASS : 19[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-24h2-debug, Gecko-windows11-32-24h2-opt, Gecko-windows11-64-24h2-debug, Gecko-windows11-64-24h2-opt] 20[GitHub]
FAIL : 3
TIMEOUT: 2[Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-24h2-debug, Gecko-windows11-32-24h2-opt, Gecko-windows11-64-24h2-debug, Gecko-windows11-64-24h2-opt] 4[GitHub]
NOTRUN : 10

Chrome

OK : 15
PASS : 19
FAIL : 4
TIMEOUT: 4
NOTRUN : 10

Safari

OK : 15
PASS : 19
FAIL : 4
TIMEOUT: 4
NOTRUN : 10

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

  • /html/document-isolation-policy/reporting-cache-storage-corp.tentative.https.html [wpt.fyi]: SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-24h2-debug, Gecko-windows11-32-24h2-opt, Gecko-windows11-64-24h2-debug, Gecko-windows11-64-24h2-opt], TIMEOUT [GitHub] (Chrome: TIMEOUT, Safari: TIMEOUT)
    • [document] blocked due to DIP: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
    • [document] blocked during redirect: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [dedicated worker] same-origin: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [dedicated worker] blocked due to DIP: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [dedicated worker] blocked during redirect: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [shared worker] same-origin: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [shared worker] blocked due to DIP: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [shared worker] blocked during redirect: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [document with service worker] same-origin: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [document with service worker] blocked due to DIP: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
    • [document with service worker] blocked during redirect: NOTRUN (Chrome: NOTRUN, Safari: NOTRUN)
  • /content-security-policy/tentative/require-sri-for/script-blocked-meta.https.html [wpt.fyi]: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
    • Test that meta require-sri-for blocks scripts with no SRI: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
  • /content-security-policy/tentative/require-sri-for/script.https.html [wpt.fyi]
    • Ensure that a script without integrity did not run: FAIL (Chrome: FAIL, Safari: FAIL)
    • Ensure that a script with unknown integrity algorithm did not run: FAIL (Chrome: FAIL, Safari: FAIL)
    • Ensure that a no-cors script gets blocked: FAIL (Chrome: FAIL, Safari: FAIL)

Tests Disabled in Gecko Infrastructure

  • /html/document-isolation-policy/reporting-cache-storage-corp.tentative.https.html [wpt.fyi]: SKIP [Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows11-32-24h2-debug, Gecko-windows11-32-24h2-opt, Gecko-windows11-64-24h2-debug, Gecko-windows11-64-24h2-opt], TIMEOUT [GitHub] (Chrome: TIMEOUT, Safari: TIMEOUT)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fd03a8c2725c [wpt PR 50681] - require-sri-for: 'script', a=testonly https://hg.mozilla.org/integration/autoland/rev/a15e89e26431 [wpt PR 50681] - Update wpt metadata, a=testonly

https://hg.mozilla.org/mozilla-central/rev/fd03a8c2725c
https://hg.mozilla.org/mozilla-central/rev/a15e89e26431

Status: NEW → RESOLVED
Closed: 6 days ago
status-firefox137: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
You need to log in before you can comment on or make changes to this bug.