Fix reporting when only the report-only CSP header is present (#38002)

This was a bit confusing at first, but the report-only only had an effect if it was used in conjunction with the regular CSP header. This is incorrect, as the report-only header can be present on its own. Additionally, there was double-logic for parsing the CSP list values, since we can only concatenate CSP lists if we have an initial value, which requires a concrete policy value. Therefore, abstract that way by looping over both headers and handling the case where initially it is `None` and, if the CSP header is not present, still `None` when we parse the `report-only` header. Additionally, update a WPT test. It was expecting the image to load, yet was showing the fail image. Part of #4577 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-09-30 16:49:16 +01:00 · 2025-07-12 12:38:30 +02:00 · 2025-07-12 12:38:30 +02:00 · 2c116f4011
commit 2c116f4011
parent 9b5b26386c
15 changed files with 48 additions and 124 deletions
--- a/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini
+++ b/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini
@ -1,16 +1,7 @@
 [dedicatedworker-report-only.html]
  expected: TIMEOUT
-  [Cross-origin 'fetch()'.]
-    expected: TIMEOUT
-
-  [Cross-origin XHR.]
-    expected: NOTRUN
-
-  [Same-origin => cross-origin 'fetch()'.]
-    expected: NOTRUN
-
  [WebSocket.]
-    expected: NOTRUN
+    expected: TIMEOUT

  [connect-src-self-report-only]
    expected: NOTRUN
--- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini
@ -1,7 +0,0 @@
-[reporting-api-report-only-sends-reports-on-violation.https.sub.html]
-  expected: TIMEOUT
-  [Event is fired]
-    expected: TIMEOUT
-
-  [Violation report status OK.]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini
@ -1,6 +0,0 @@
-[multiple-report-policies.html]
-  [2-Violation report status OK]
-    expected: FAIL
-
-  [1-Violation report status OK]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini
@ -1,6 +1,3 @@
 [report-multiple-violations-01.html]
-  [Violation report status OK.]
-    expected: FAIL
-
  [Test number of sent reports.]
    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini
@ -1,6 +1,3 @@
 [report-multiple-violations-02.html]
-  [Violation report status OK.]
-    expected: FAIL
-
  [Test number of sent reports.]
    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini
@ -1,6 +0,0 @@
-[report-only-unsafe-eval.html]
-  [SPV event is still raised]
-    expected: FAIL
-
-  [Violation report status OK.]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini
@ -1,3 +0,0 @@
-[eval-allowed-in-report-only-mode-and-sends-report.html]
-  [Violation report status OK.]
-    expected: FAIL