Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-06 14:10:11 +01:00
Code Issues Projects Releases Packages Wiki Activity

Propagate parent policy container to local iframes (#36710)

Browse source 
This follows the rules as defined in
https://w3c.github.io/webappsec-csp/#security-inherit-csp
where local iframes (about:blank and about:srcdoc) should
initially start with the CSP rules of the parent. After
that, all new CSP headers should only be set on the
policy container of the iframe.

Part of #36437

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-03 10:47:40 +02:00 committed by GitHub
parent 4164f76769
commit 539ca27284
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 45 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/wpt/meta/content-security-policy/inheritance/document-write-iframe.html.ini vendored
View file

@ -1,3 +0,0 @@
[document-write-iframe.html]
[document.open() keeps inherited CSPs on empty iframe.]
expected: FAIL

24
tests/wpt/meta/content-security-policy/inheritance/iframe-all-local-schemes.sub.html.ini vendored
View file

@ -1,30 +1,6 @@
[iframe-all-local-schemes.sub.html]
[<iframe>'s about:blank inherits policy.]
expected: FAIL
[window about:blank inherits policy.]
expected: FAIL
[<iframe srcdoc>'s inherits policy.]
expected: FAIL
[<iframe src='blob:...'>'s inherits policy.]
expected: FAIL
[window url='blob:...' inherits policy.]
expected: FAIL
[<iframe src='data:...'>'s inherits policy.]
expected: FAIL
[<iframe src='javascript:...'>'s inherits policy (static <img> is blocked)]
expected: FAIL
[window url='javascript:...'>'s inherits policy (static <img> is blocked)]
expected: FAIL
[<iframe src='javascript:...'>'s inherits policy (dynamically inserted <img> is blocked)]
expected: FAIL
[<iframe sandbox src='blob:...'>'s inherits policy. (opaque origin sandbox)]
expected: FAIL

3
tests/wpt/meta/content-security-policy/inheritance/iframe-srcdoc-inheritance.html.ini vendored
View file

@ -1,7 +1,4 @@
[iframe-srcdoc-inheritance.html]
expected: TIMEOUT
[First image should be blocked]
expected: FAIL
[Second image should be blocked]
expected: NOTRUN

9
tests/wpt/meta/content-security-policy/inheritance/location-reload.html.ini vendored
View file

@ -1,9 +1,4 @@
[location-reload.html]
[location.reload() of empty iframe.]
expected: FAIL
[location.reload() of blob URL iframe.]
expected: FAIL
expected: TIMEOUT
[location.reload() of srcdoc iframe.]
expected: FAIL
expected: TIMEOUT

7
tests/wpt/meta/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp.html.ini vendored
View file

@ -1,10 +1,10 @@
[to-javascript-parent-initiated-parent-csp.html]
expected: TIMEOUT
[Should not have executed the javascript url for\n iframe.contentWindow.location.href]
expected: FAIL
expected: TIMEOUT
[Should not have executed the javascript url for\n otherTab.location.href]
expected: TIMEOUT
expected: NOTRUN
[Should not have executed the javascript url for\n area[target=iframe\].href]
expected: NOTRUN
@ -17,3 +17,6 @@
[Should not have executed the javascript url for\n a[target=iframe\].href]
expected: NOTRUN
[Should not have executed the javascript url for\n iframe.src]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[srcdoc-doesnt-bypass-script-src.sub.html]
[Expecting logs: ["violated-directive=script-src-elem"\]]
expected: FAIL

3
tests/wpt/meta/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html.ini vendored
View file

@ -1,3 +0,0 @@
[eval-blocked-in-about-blank-iframe.html]
[eval-blocked-in-about-blank-iframe]
expected: FAIL