2036257 - [wpt-sync] Sync PR 59539 - [Connection-Allowlist] Enforce "webrtc" header param.

Status: RESOLVED FIXED

(Testing :: web-platform-tests, task, P4)

Description

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Sync web-platform-tests PR 59539 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/59539
Details from upstream follow.

Andrew Verge <averge@chromium.org> wrote:

[Connection-Allowlist] Enforce "webrtc" header param.

WebRTC needs to be treated specially by the Connection-Allowlist header,
because it is not possible to enumerate hostnames that will be used for
P2P connections.

The decision was made in
https://github.com/WICG/connection-allowlists/issues/6 to use a global
header flag that will either completely allow or block WebRTC peer
connections, regardless of the target origin.

This was specified in
https://github.com/WICG/connection-allowlists/commit/5b5fcb595f2e3c41edd49e002eea6559e3e45cfe.
and this CL implements the enforcement portion of the specification.

Note that there are changes in both the renderer and the browser.

• On the renderer side, we prevent construction of RTCPeerConnection.
• On the browser side, we prevent the P2PSocketManager from being bound
  in the network service, as an extra layer of protection against a
  compromised renderer. This is similar to how P2P was handled for
  fenced frames.

Bug: 492439214
Change-Id: Ib10bda11020df74e3ecd41450027cacbf6a7bd2a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7676321
Reviewed-by: Mike West \<mkwst@chromium.org>
Commit-Queue: Andrew Verge \<averge@chromium.org>
Reviewed-by: Johannes Kron \<kron@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1622470}

Comment 1

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=1be0976b7235b99bc30666eb7a4c5a2c79c374c3

Comment 2

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

CI Results

Ran 9 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 41 tests and 5 subtests

Status Summary

Firefox

OK : 3[GitHub] 41[Gecko-android-em-14-x86_64-debug-geckoview, Gecko-android-em-14-x86_64-lite-opt-geckoview, Gecko-android-em-14-x86_64-opt-geckoview, Gecko-linux2404-64-debug, Gecko-linux2404-64-opt, Gecko-windows11-32-25h2-debug, Gecko-windows11-32-25h2-opt, Gecko-windows11-64-25h2-debug, Gecko-windows11-64-25h2-opt]
PASS: 4[GitHub] 82[Gecko-android-em-14-x86_64-debug-geckoview, Gecko-android-em-14-x86_64-lite-opt-geckoview, Gecko-android-em-14-x86_64-opt-geckoview, Gecko-linux2404-64-debug, Gecko-linux2404-64-opt, Gecko-windows11-32-25h2-debug, Gecko-windows11-32-25h2-opt, Gecko-windows11-64-25h2-debug, Gecko-windows11-64-25h2-opt]
FAIL: 2[GitHub] 148[Gecko-android-em-14-x86_64-debug-geckoview, Gecko-android-em-14-x86_64-lite-opt-geckoview, Gecko-android-em-14-x86_64-opt-geckoview, Gecko-linux2404-64-debug, Gecko-linux2404-64-opt, Gecko-windows11-32-25h2-debug, Gecko-windows11-32-25h2-opt, Gecko-windows11-64-25h2-debug, Gecko-windows11-64-25h2-opt]

Chrome

OK : 3
PASS: 4
FAIL: 2

Safari

OK : 3
PASS: 4
FAIL: 2

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

• /connection-allowlist/tentative/dedicated-worker-redirect-block.sub.window.html [wpt.fyi]
  • Same-origin dedicated worker main script fetch with redirect fails due to redirects=block.: FAIL
  • Same-origin subresource fetch from dedicated worker with same-origin redirect fails due to redirects=block.: FAIL
  • Same-origin subresource fetch from dedicated worker with cross-origin redirect fails due to redirects=block.: FAIL
• /connection-allowlist/tentative/dedicated-worker-redirect-default.sub.window.html [wpt.fyi]
  • Same-origin dedicated worker main script fetch with redirect fails by default.: FAIL
  • Same-origin subresource fetch from dedicated worker with same-origin redirect fails by default.: FAIL
  • Same-origin subresource fetch from dedicated worker with cross-origin redirect fails by default.: FAIL
• /connection-allowlist/tentative/dedicated-worker.sub.window.html [wpt.fyi]
  • Cross-origin fetch from a dedicated worker (data: URL) should be blocked by inherited policy.: FAIL
  • Dedicated worker with empty connection allowlist cannot perform any fetches.: FAIL
• /connection-allowlist/tentative/fetch-keepalive-redirect.sub.window.html [wpt.fyi]
  • Fetch keepalive redirect from http://web-platform.test:8000 to http://web-platform.test:8000 fails.: FAIL
  • Fetch keepalive redirect from http://web-platform.test:8000 to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/fetch-keepalive.sub.window.html [wpt.fyi]
  • Fetch to http://www.web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://www1.web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://www2.web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://xn--lve-6lad.web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://not-web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://www.not-web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://www1.not-web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://www2.not-web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://xn--n8j6ds53lwwkrqhv28a.not-web-platform.test:8000 with keepalive: true fails.: FAIL
  • Fetch to http://xn--lve-6lad.not-web-platform.test:8000 with keepalive: true fails.: FAIL
• /connection-allowlist/tentative/fetch-redirect-block.sub.window.html [wpt.fyi]
  • Fetch redirect from http://web-platform.test:8000 to http://web-platform.test:8000 fails.: FAIL
  • Fetch redirect from http://web-platform.test:8000 to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/fetch-redirect-default.sub.window.html [wpt.fyi]
  • Fetch redirect from http://web-platform.test:8000 to http://web-platform.test:8000 fails.: FAIL
  • Fetch redirect from http://web-platform.test:8000 to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/fetch-wildcard.sub.window.html [wpt.fyi]
  • Fetch cors/omit to http://www.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www1.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www1.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www2.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www2.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/fetch.sub.window.html [wpt.fyi]
  • Fetch cors/omit to http://www.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www1.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www1.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www2.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www2.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://not-web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www.not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www.not-web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www1.not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www1.not-web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://www2.not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://www2.not-web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--n8j6ds53lwwkrqhv28a.not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--n8j6ds53lwwkrqhv28a.not-web-platform.test:8000 fails.: FAIL
  • Fetch cors/omit to http://xn--lve-6lad.not-web-platform.test:8000 fails.: FAIL
  • Fetch no-cors/omit to http://xn--lve-6lad.not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/iframe-contentwindow-injection.sub.window.html [wpt.fyi]
  • Injecting <link rel="prefetch"> into same-origin iframe (with its own Connection-Allowlist) contentWindow must be blocked.: FAIL
• /connection-allowlist/tentative/link_header_modulepreload_deny.sub.window.html [wpt.fyi]
  • Link header modulepreload to a not allow-listed url fails.: FAIL
• /connection-allowlist/tentative/link_header_preload_deny.sub.window.html [wpt.fyi]
  • Link header preload to a not allow-listed url fails.: FAIL
• /connection-allowlist/tentative/link_rel_modulepreload.sub.window.html [wpt.fyi]
  • Modulepreload to http://www.web-platform.test:8000 fails.: FAIL
  • Modulepreload to http://www1.web-platform.test:8000 fails.: FAIL
  • Modulepreload to http://www2.web-platform.test:8000 fails.: FAIL
  • Modulepreload to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Modulepreload to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Modulepreload to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/link_rel_prefetch.sub.window.html [wpt.fyi]
  • Prefetch to http://www.web-platform.test:8000 fails.: FAIL
  • Prefetch to http://www1.web-platform.test:8000 fails.: FAIL
  • Prefetch to http://www2.web-platform.test:8000 fails.: FAIL
  • Prefetch to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Prefetch to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Prefetch to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/link_rel_preload.sub.window.html [wpt.fyi]
  • Preload to http://www.web-platform.test:8000 fails.: FAIL
  • Preload to http://www1.web-platform.test:8000 fails.: FAIL
  • Preload to http://www2.web-platform.test:8000 fails.: FAIL
  • Preload to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 fails.: FAIL
  • Preload to http://xn--lve-6lad.web-platform.test:8000 fails.: FAIL
  • Preload to http://not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/link_rel_stylesheet.sub.window.html [wpt.fyi]
  • Stylesheet to http://www.web-platform.test:8000 fails.: FAIL
  • Stylesheet to http://www1.web-platform.test:8000 fails.: FAIL
  • Stylesheet to http://not-web-platform.test:8000 fails.: FAIL
  • Stylesheet to http://www.not-web-platform.test:8000 fails.: FAIL
• /connection-allowlist/tentative/link_rel_whitespace_bypass.sub.window.html [wpt.fyi]
  • <link rel="\tprefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="(space)prefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="\nprefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="\rprefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="\fprefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="prefetch\t"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="\t(space)prefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • <link rel="(space)\tprefetch\t(space)"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • innerHTML: <link rel="\tprefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • innerHTML: <link rel="(space)prefetch"> to blocked origin must be blocked by Connection-Allowlist.: FAIL
  • HTML entity encoded rel="prefetch" (prefetch) to blocked origin must be blocked by Connection-Allowlist.: FAIL
• /connection-allowlist/tentative/navigation-anchor-new-tab.sub.window.html [wpt.fyi]
  • Navigation via anchor with target=_blank to http://www.web-platform.test:8000 should fail.: FAIL
  • Navigation via anchor with target=_blank to http://not-web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-redirect-allow.sub.window.html [wpt.fyi]
  • Redirect from http://not-web-platform.test:8000 to http://web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-redirect-block.sub.window.html [wpt.fyi]
  • Redirect from http://web-platform.test:8000 to http://web-platform.test:8000 should fail.: FAIL
  • Redirect from http://web-platform.test:8000 to http://not-web-platform.test:8000 should fail.: FAIL
  • Redirect from http://not-web-platform.test:8000 to http://web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-redirect-default.sub.window.html [wpt.fyi]
  • Redirect from http://web-platform.test:8000 to http://web-platform.test:8000 should fail.: FAIL
  • Redirect from http://web-platform.test:8000 to http://not-web-platform.test:8000 should fail.: FAIL
  • Redirect from http://not-web-platform.test:8000 to http://web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-response-origin.sub.window.html [wpt.fyi]
  • Navigation to http://www.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www1.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www2.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--lve-6lad.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://not-web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www.not-web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www1.not-web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www2.not-web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--n8j6ds53lwwkrqhv28a.not-web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--lve-6lad.not-web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-wildcard.sub.window.html [wpt.fyi]
  • Navigation to http://www.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www1.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://www2.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--n8j6ds53lwwkrqhv28a.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://xn--lve-6lad.web-platform.test:8000 should fail.: FAIL
  • Navigation to http://not-web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/navigation-window-open.sub.window.html [wpt.fyi]
  • window.open(url, name) to http://www.web-platform.test:8000 should fail.: FAIL
  • window.open(url, name) to http://not-web-platform.test:8000 should fail.: FAIL
  • window.open(url, '_self') to http://www.web-platform.test:8000 should fail.: FAIL
  • window.open(url, '_self') to http://not-web-platform.test:8000 should fail.: FAIL
  • window.open(url) with no target to http://www.web-platform.test:8000 should fail.: FAIL
  • window.open(url) with no target to http://not-web-platform.test:8000 should fail.: FAIL
• /connection-allowlist/tentative/reporting-http.https.sub.html [wpt.fyi]
  • Connection-Allowlist report is delivered to the reporting endpoint for a blocked fetch.: FAIL
• /connection-allowlist/tentative/reporting-image-blocked.https.sub.html [wpt.fyi]
  • Connection-Allowlist report is delivered to the reporting endpoint for a blocked image.: FAIL
• /connection-allowlist/tentative/reporting-multiple-violations.https.sub.html [wpt.fyi]
  • Multiple Connection-Allowlist reports are delivered to the reporting endpoint.: FAIL
• /connection-allowlist/tentative/reporting-report-only.https.sub.html [wpt.fyi]
  • Connection-Allowlist report is delivered to the reporting endpoint for a report-only fetch.: FAIL
• /connection-allowlist/tentative/shared-worker.sub.window.html [wpt.fyi]
  • Cross-origin fetch from a shared worker (data: URL) should be blocked by inherited policy.: FAIL
  • Shared worker with empty connection allowlist cannot perform any fetches.: FAIL
  • Shared worker (blob: URL) inherits creator's connection allowlist policy.: FAIL
• /connection-allowlist/tentative/subresource-blocking.sub.window.html [wpt.fyi]
  • Multi-value rel="alternate prefetch" to blocked origin must be blocked.: FAIL
  • Multi-value rel="prefetch stylesheet" to blocked origin must be blocked.: FAIL
  • <object data="cross-origin"> to blocked origin must be blocked.: FAIL
  • <embed src="cross-origin"> to blocked origin must be blocked.: FAIL
  • CSS background-image: url() to blocked origin must be blocked.: FAIL
  • CSS @import url() to blocked origin must be blocked.: FAIL
  • <img srcset="cross-origin"> to blocked origin must be blocked.: FAIL
  • <video poster="cross-origin"> to blocked origin must be blocked.: FAIL
• /connection-allowlist/tentative/webrtc-block-default.sub.window.html [wpt.fyi]
  • Test that setting Connection-Allowlist blocks WebRTC by default.: FAIL (Chrome: FAIL, Safari: FAIL)
• /connection-allowlist/tentative/webrtc-block.sub.window.html [wpt.fyi]
  • Test that webrtc=block Connection-Allowlist param is respected.: FAIL (Chrome: FAIL, Safari: FAIL)
• /connection-allowlist/tentative/websocket.sub.window.html [wpt.fyi]
  • Cross-origin same-site WebSocket (www) is blocked.: FAIL
  • Cross-origin same-site WebSocket (www1) is blocked.: FAIL
  • Cross-site WebSocket is blocked.: FAIL
  • Cross-site WebSocket (www subdomain) is blocked.: FAIL

Comment 3

[Pulsebot]

Pushed by wptsync@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/4d5de2b42ba2
https://hg.mozilla.org/integration/autoland/rev/2846138bfec3
[wpt PR 59539] - [Connection-Allowlist] Enforce "webrtc" header param., a=testonly
https://github.com/mozilla-firefox/firefox/commit/34cda7dadb1e
https://hg.mozilla.org/integration/autoland/rev/4335ecbf3b52
[wpt PR 59539] - Update wpt metadata, a=testonly

Comment 4

[Silaghi Andreea]

https://hg.mozilla.org/mozilla-central/rev/2846138bfec3
https://hg.mozilla.org/mozilla-central/rev/4335ecbf3b52