Closed
Bug 1989999
Opened 8 months ago
Closed 8 months ago
[wpt-sync] Sync PR 54982 - Add WPT for registration and challenges from a third-party context
Categories
(Testing :: web-platform-tests, task, P4)
Testing
web-platform-tests
Tracking
(firefox145 fixed)
RESOLVED
FIXED
145 Branch
| Tracking | Status | |
|---|---|---|
| firefox145 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 54982 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/54982
Details from upstream follow.
Daniel Rubery <drubery@chromium.org> wrote:
Add WPT for registration and challenges from a third-party context
This CL makes sure that registration and challenge setting don't work
from a third-party context if all the bound cookies are first-party.Fixed: 417410430
Change-Id: I0b9ce736cac5a36a71c55c11a515031a7c036ae1Reviewed-on: https://chromium-review.googlesource.com/6961315
WPT-Export-Revision: 74151f67e3e7456b24be2db7018dabc38674c73e
|
Assignee | |
Comment 1•8 months ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=85b49a36a9db927f6e541eed89cfc19024bb9d3b
|
|
Assignee | |
Comment 2•8 months ago
|
||
CI Results
Ran 0 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 24 tests and 4 subtests
Status Summary
Firefox
OK : 1
PASS : 1
TIMEOUT: 46
NOTRUN : 28
Chrome
OK : 1
PASS : 1
TIMEOUT: 46
NOTRUN : 28
Safari
OK : 1
PASS : 1
TIMEOUT: 46
NOTRUN : 28
Links
Details
New Tests That Don't Pass
- /device-bound-session-credentials/allowed-refresh-initiators.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- An established session refreshes when initated by the owning site:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - An established session refreshes when initated by a host in allowed_refresh_initiators:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - An established session does not refresh when initated by a host not in allowed_refresh_initiators:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- An established session refreshes when initated by the owning site:
- /device-bound-session-credentials/clear-site-data.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A session ended with Clear-Site-Data: 'cookies' does not refresh cookies:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - A session ended with Clear-Site-Data: 'storage' does not refresh cookies:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- A session ended with Clear-Site-Data: 'cookies' does not refresh cookies:
- /device-bound-session-credentials/create-session.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- An established session can refresh a cookie:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- An established session can refresh a cookie:
- /device-bound-session-credentials/credentials-matching.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Expires attribute in credentials doesn't affect matching:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Max-Age attribute in credentials doesn't affect matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - HttpOnly attribute in credentials affects matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - SameSite attribute in credentials affects matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Secure attribute in credentials affects matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Path attribute in credentials affects matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Partition attribute in credentials affects matching:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Expires attribute in credentials doesn't affect matching:
- /device-bound-session-credentials/debug-header.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A session that fails to reach the refresh endpoint sets debug header:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Same-site redirects continue to send debug header:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Cross-site redirects do not send debug header:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Two failing sessions both set debug header:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- A session that fails to reach the refresh endpoint sets debug header:
- /device-bound-session-credentials/empty-response.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- An empty response fails on registration:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - An empty response is allowed on refresh:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- An empty response fails on registration:
- /device-bound-session-credentials/federated-session.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Successful federated session registration:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Invalid thumbprint:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Invalid provider session id:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Not authorized by .well-known:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Successful federated session registration:
- /device-bound-session-credentials/fetch-no-credentials.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A cross-site fetch without credentials should not refresh:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- A cross-site fetch without credentials should not refresh:
- /device-bound-session-credentials/include-site.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- An established session refreshes across origins if the site is included:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - An established session does not refresh across origins if the site is not included:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- An established session refreshes across origins if the site is included:
- /device-bound-session-credentials/multiple-credentials.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A session can have multiple credentials set:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- A session can have multiple credentials set:
- /device-bound-session-credentials/multiple-registrations.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Multiple registrations can be triggered in one response (single header):
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Multiple registrations can be triggered in one response (multiple headers):
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Multiple registrations can be triggered in one response (single header):
- /device-bound-session-credentials/refresh-does-not-send-challenge.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Refresh does not send back Sec-Session-Challenge:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- Refresh does not send back Sec-Session-Challenge:
- /device-bound-session-credentials/refresh-replaces-config.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Refresh can replace session config:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Refresh cannot replace session identifier:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Refresh can replace session config:
- /device-bound-session-credentials/refresh-with-continue-false.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A session ended with continue:false does not refresh cookies:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- A session ended with continue:false does not refresh cookies:
- /device-bound-session-credentials/registration-sends-challenge.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Registration can send back Sec-Session-Challenge:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- Registration can send back Sec-Session-Challenge:
- /device-bound-session-credentials/resolving-urls.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- The registration and refresh endpoints can be configured as absolute URLs:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - The registration and refresh endpoints can be configured as relative URLs with leading slash:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - The registration and refresh endpoints can be configured as relative URLs without leading slash:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- The registration and refresh endpoints can be configured as absolute URLs:
- /device-bound-session-credentials/session-cookie-has-no-attributes.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- An established session can refresh a cookie that has all default attributes:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- An established session can refresh a cookie that has all default attributes:
- /device-bound-session-credentials/set-authorization.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Session registration sends the authorization value:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- Session registration sends the authorization value:
- /device-bound-session-credentials/set-early-challenge.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A challenge can be set ahead of time:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - A challenge can be set for multiple sessions ahead of time (single header):
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - A challenge can be set for multiple sessions ahead of time (multiple headers):
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- A challenge can be set ahead of time:
- /device-bound-session-credentials/set-scope-origin.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- A request within the scope origin refreshes:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - A request outside the scope origin does not refresh:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- A request within the scope origin refreshes:
- /device-bound-session-credentials/set-scope-specification.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Scope specification configuration is respected:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)
- Scope specification configuration is respected:
- /device-bound-session-credentials/subdomain-registration.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Registration fails without a .well-known:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Registration succeeds with a .well-known:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Registration fails without a .well-known:
- /device-bound-session-credentials/third-party-registration.https.html [wpt.fyi]:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT)- Registration of first-party session not allowed in third-party context:
TIMEOUT(Chrome:TIMEOUT, Safari:TIMEOUT) - Registration of session with third-party cookies allowed in third-party context:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Set challenge of first-party not allowed in third-party context:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN) - Set challenge of session with third-party cookies allowed in third-party context:
NOTRUN(Chrome:NOTRUN, Safari:NOTRUN)
- Registration of first-party session not allowed in third-party context:
Pushed by wptsync@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/b7b3be6b2c6c
https://hg.mozilla.org/integration/autoland/rev/6834fff1cf54
[wpt PR 54982] - Add WPT for registration and challenges from a third-party context, a=testonly
https://github.com/mozilla-firefox/firefox/commit/4939bd7f0818
https://hg.mozilla.org/integration/autoland/rev/cc1f91a47b9a
[wpt PR 54982] - Update wpt metadata, a=testonly
|
||
Comment 4•8 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6834fff1cf54
https://hg.mozilla.org/mozilla-central/rev/cc1f91a47b9a
Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox145:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 145 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•