[wpt-sync] Sync PR 21321 - Remove instances of 'whitelist' in content-security-policy/
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox77 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 21321 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/21321
Details from upstream follow.
Stephen McGruer <smcgruer@chromium.org> wrote:
Remove instances of 'whitelist' in content-security-policy/
|
Assignee | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
|
Assignee | |
Comment 6•5 years ago
|
||
CI Results
Ran 13 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 79 tests
Status Summary
Firefox
OK : 11
PASS : 28[GitHub] 95[Gecko-android-em-7.0-x86_64-debug-geckoview, Gecko-android-em-7.0-x86_64-opt-geckoview, Gecko-linux1804-64-asan-opt, Gecko-linux1804-64-debug, Gecko-linux1804-64-opt, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-windows10-64-debug, Gecko-windows10-64-opt, Gecko-windows10-64-qr-debug, Gecko-windows10-64-qr-opt, Gecko-windows7-32-debug, Gecko-windows7-32-opt]
FAIL : 11
TIMEOUT: 2
Chrome
OK : 10
PASS : 38
FAIL : 1
TIMEOUT: 2
ERROR : 1
Safari
OK : 9
PASS : 21
FAIL : 14
TIMEOUT: 7
NOTRUN : 1
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html
Allowed scripts without a correct nonce are not permitted with strict-dynamic.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/style-src/stylenonce-allowed.sub.html
Should fire securitypolicyviolation: FAIL (Chrome: PASS, Safari: NOTRUN)
/content-security-policy/script-src/script-src-sri_hash.sub.html
matching plus unsupported integrity: FAIL (Chrome: PASS, Safari: FAIL)
External script in a script tag with matching SRI hash should run.: FAIL (Chrome: PASS, Safari: FAIL)
matching integrity: FAIL (Chrome: PASS, Safari: FAIL)
multiple matching integrity: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/embedded-enforcement/subsumption_algorithm-unsafe_inline.html
Effective returned csp allows 'unsafe-inline': FAIL (Chrome: PASS, Safari: FAIL)
Required csp does not allow unsafe-inline, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Required csp allows strict-dynamic, but retuned csp does.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a nonce.: FAIL (Chrome: PASS, Safari: FAIL)
Returned csp allows a hash.: FAIL (Chrome: PASS, Safari: FAIL)
/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.html: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
Non-allowed script injected via appendChild is not permitted with strict-dynamic + a nonce+allowed double policy.: TIMEOUT (Chrome: TIMEOUT, Safari: TIMEOUT)
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/acd05c459589
https://hg.mozilla.org/mozilla-central/rev/98fde366f022
Description
•