Closed
Bug 695385
Opened 13 years ago
Closed 6 years ago
Create mochitest for attempting to load external resources cross-origin
Categories
(Core :: SVG, defect, P1)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla66
Tracking | Status | |
---|---|---|
firefox66 | --- | fixed |
People
(Reporter: dholbert, Assigned: dholbert)
References
Details
Attachments
(1 file)
Filing this bug on creating a mochitest for cross-origin external-resource-loads, per bug 695108 comment 3.
(the loads should fail, and the test should verify that.)
Assignee | ||
Comment 1•13 years ago
|
||
(The reftest "reftests/svg/filter-extref-differentOrigin-01.svg" currently tests this, but it can only successfully test this when served over file://, which means it doesn't work on Android. This is because the only different-origin option for reftests is a relative path in content served over file://)
Assignee | ||
Comment 2•6 years ago
|
||
This just got higher-priority, because the reftest that we currently use (filter-extref-differentOrigin-01.svg) depends on a pref-flip that is now becoming less reliable (and which can now cause fatal assertion failures in debug builds), per bug 1286798.
The reftest is being disabled so that that bug can proceed, so I'm going to get a new mochitest written ASAP.
Assignee: nobody → dholbert
OS: Linux → All
Priority: -- → P1
Hardware: x86 → All
Assignee | ||
Comment 3•6 years ago
|
||
Hmm -- it looks like this test was *really* hoping to test file:// URIs (and does currently, but won't anymore if I rewrite it as a mochitest). It was meant to exercise bz's hypothetical scenario in bug 686013 comment 19, where I had mistakenly used IS_LOCAL_RESOURCE in an initial patch a check for whether something was safe to consider same-origin.
But it seems we may not be able to depend on file:// URIs enforcing the cross-origin security checks anymore, since we turn off security.fileuri.strict_origin_policy for reftests, and that pref is becoming less dynamically-toggleable per bug 1286798 comment 180, so we can't turn it back on for specific tests.
So I guess a generalized cross-origin mochitest is still a nice-to-have, but it's a shame that we're losing the extra-robustness of testing specifically file URI's same-origin checks. :-/ Hopefully we've got some tests somewhere that cover some aspect of that.
Assignee | ||
Comment 4•6 years ago
|
||
> But it seems we may not be able to depend on file:// URIs enforcing the cross-origin security checks anymore,
...in automated tests, I mean (we can and do depend on it in "real" Firefox, but I'm not sure how to test for it at this point).
Assignee | ||
Comment 5•6 years ago
•
|
||
I filed bug 1511209 on fixing our reftests to stop relying on this security pref being off, so that we can reenable filter-extref-differentOrigin-01.svg (which was just disabled in https://hg.mozilla.org/integration/mozilla-inbound/rev/bb3a3cc424cd#l2.17 as noted in comment 2).
And in this bug here, I'll plan on just writing a standard (not-using-a-file-URI) mochitest, which will do a general verification that cross-origin SVG filters don't load.
Assignee | ||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
[toggling "needinfo" just to to be sure this is on your radar. I'd like to land this soonish to be sure we've got test coverage for this security feature, since we just lost some test coverage per comment 2.
And/or if you don't have cycles to review this, lemme know and I'm happy to punt it to somebody else. Thanks!]
Flags: needinfo?(jwatt)
Updated•6 years ago
|
Flags: needinfo?(jwatt)
Comment hidden (obsolete) |
Assignee | ||
Comment 9•6 years ago
|
||
er, sorry, that was the wrong mochitest run. Here's the correct one for this bug:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=8944a0c4ea3c94d759ad85db1e2975030550d89c
Assignee | ||
Comment 10•6 years ago
|
||
Trying again with SimpleTest.waitForExplicitFinish / finish() calls:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2bbf9d09aca07f92273e00964f39e7ec53e812e6
(I'm not sure why those would be needed, since the test doesn't do anything async; but it doesn't seem to realize that it has finished without those explicit calls.)
Comment 11•6 years ago
|
||
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0987791fff8d
Add a mochitest to validate that cross-origin svg filters are blocked. r=jwatt
Comment 12•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Comment 13•6 years ago
|
||
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/23c49b671bc5
followup: use pixel-valued sizes (not %) for rects in new mochitest. (no review; just tweaking a new test for robustness)
Comment 14•6 years ago
|
||
bugherder |
You need to log in
before you can comment on or make changes to this bug.
Description
•