mirror of
https://github.com/servo/servo.git
synced 2025-09-30 08:39:16 +01:00
Update FetchTaskTarget to propagate CSP violations. (#36409)
It also updates the FetchResponseListener to process CSP violations to ensure that iframe elements (amongst others) properly generate the CSP events. These iframe elements are used in the Trusted Types tests themselves and weren't propagating the violations before. However, the tests themselves are still not passing since they also use Websockets, which currently aren't using the fetch machinery itself. That is fixed as part of [1]. [1]: https://github.com/servo/servo/issues/35028 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Josh Matthews <josh@joshmatthews.net> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Tim van der Lippe
GitHub
parent
5d84acc06e
commit
85e4a2b5c7
146 changed files with 511 additions and 612 deletions
|
|
@ -1,10 +1,6 @@
|
|||
[report-uri-does-not-respect-base-uri.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
[child-src-worker-blocked.sub.html]
|
||||
expected: ERROR
|
||||
expected: TIMEOUT
|
||||
[Should throw a securitypolicyviolation event]
|
||||
expected: TIMEOUT
|
||||
|
||||
[Should block worker because it does not match any directive including the deprecated 'child-src']
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[connect-src-syncxmlhttprequest-blocked.sub.html]
|
||||
[Expecting logs: ["Pass","violated-directive=connect-src"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[connect-src-websocket-blocked.sub.html]
|
||||
[Expecting logs: ["blocked","violated-directive=connect-src"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[connect-src-xmlhttprequest-blocked.sub.html]
|
||||
[Expecting logs: ["Pass","violated-directive=connect-src"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[frame-ancestors-path-ignored.window.html]
|
||||
[A 'frame-ancestors' CSP directive with a URL that includes a path should be ignored.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-classic.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-classic.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-module.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-module.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-classic.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-classic.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-classic to same-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-module.http.html]
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and keep-origin redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-http origin and no-redirect redirection from http context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
[worker-module.https.html]
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and keep-origin redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context.]
|
||||
expected: FAIL
|
||||
|
||||
[Content Security Policy: Expects blocked for worker-module to same-https origin and no-redirect redirection from https context.: securitypolicyviolation]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,3 @@
|
|||
[directive-name-case-insensitive.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that the www2 image is not allowed to load]
|
||||
expected: FAIL
|
||||
|
||||
[Test that the www2 image throws a violation event]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,3 @@
|
|||
[generic-0_1-img-src.html]
|
||||
expected: TIMEOUT
|
||||
[Verify cascading of default-src to img-src policy]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[generic-0_1-script-src.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[generic-0_10_1.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[generic-0_2_2.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[generic-0_2_3.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire violation events for every failed violation]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
2
tests/wpt/meta/content-security-policy/generic/wildcard-host-part.sub.window.js.ini
vendored
Normal file
2
tests/wpt/meta/content-security-policy/generic/wildcard-host-part.sub.window.js.ini
vendored
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
[wildcard-host-part.sub.window.html]
|
||||
expected: CRASH
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[img-src-full-host-wildcard-blocked.sub.html]
|
||||
[img src does not match full host and wildcard csp directive]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[img-src-none-blocks-data-uri.html]
|
||||
[img-src with 'none' source should not match]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[img-src-none-blocks.html]
|
||||
[img-src with 'none' source should not match]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[report-blocked-data-uri.sub.html]
|
||||
[Expecting logs: ["violated-directive=img-src"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[inherited-csp-list-modifications-are-local.html]
|
||||
expected: TIMEOUT
|
||||
[Test that embedded iframe document image does not load]
|
||||
expected: FAIL
|
||||
|
||||
[Test that spv event is fired]
|
||||
expected: NOTRUN
|
||||
|
|
@ -1,7 +1,3 @@
|
|||
[media-src-7_1_2.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Disallowed async video src]
|
||||
expected: FAIL
|
||||
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,10 +1,7 @@
|
|||
[media-src-7_2_2.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Disallaowed audio src]
|
||||
expected: FAIL
|
||||
|
||||
[Disallowed audio source element]
|
||||
expected: FAIL
|
||||
expected: NOTRUN
|
||||
|
||||
[Test that securitypolicyviolation events are fired]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,12 +1,13 @@
|
|||
[media-src-blocked.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Disallowed async video src]
|
||||
expected: FAIL
|
||||
|
||||
[Disallowed async video source element]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
||||
[Disallowed audio src]
|
||||
expected: FAIL
|
||||
expected: NOTRUN
|
||||
|
||||
[Disallowed audio source element]
|
||||
expected: FAIL
|
||||
expected: NOTRUN
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[meta-img-src.html]
|
||||
[Expecting logs: ["PASS","TEST COMPLETE"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
[meta-modified.html]
|
||||
[Expecting logs: ["PASS", "PASS","TEST COMPLETE"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
[invalid-directive.html]
|
||||
expected: TIMEOUT
|
||||
[Even if an unknown directive is specified, img-src is honored.]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
|
|
@ -1,10 +1,6 @@
|
|||
[report-to-directive-allowed-in-meta.https.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,3 @@
|
|||
[reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,3 @@
|
|||
[reporting-api-report-to-overrides-report-uri-1.https.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,3 @@
|
|||
[reporting-api-report-to-overrides-report-uri-2.https.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,10 +1,6 @@
|
|||
[reporting-api-sends-reports-on-violation.https.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Test that image does not load]
|
||||
expected: NOTRUN
|
||||
|
||||
[Event is fired]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
||||
[Report is observable to ReportingObserver]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,6 +1,3 @@
|
|||
[report-and-enforce.html]
|
||||
[The image should be blocked]
|
||||
expected: FAIL
|
||||
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
[report-same-origin-with-cookies.html]
|
||||
[Image should not load]
|
||||
expected: FAIL
|
||||
|
||||
[Violation report status OK.]
|
||||
expected: FAIL
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[strict-dynamic-elem-blocked-src-allowed.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire a security policy violation event]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[script-src-1_10.html]
|
||||
expected: TIMEOUT
|
||||
[Test that securitypolicyviolation event is fired]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
[script-src-report-only-policy-works-with-external-hash-policy.html]
|
||||
expected: TIMEOUT
|
||||
[Should fire securitypolicyviolation event]
|
||||
expected: NOTRUN
|
||||
expected: FAIL
|
||||
|
||||
[External script in a script tag with matching SRI hash should run.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[securitypolicyviolation-block-cross-origin-image-from-script.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-redirected cross-origin URLs are not stripped.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[securitypolicyviolation-block-cross-origin-image.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-redirected cross-origin URLs are not stripped.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[securitypolicyviolation-block-image-from-script.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-redirected cross-origin URLs are not stripped.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
[securitypolicyviolation-block-image.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Non-redirected same-origin URLs are not stripped.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
[style-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Violated directive is script-src-elem.]
|
||||
expected: TIMEOUT
|
||||
expected: FAIL
|
||||
|
||||
[document.styleSheets should contain an item for the blocked CSS.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
[style-src-error-event-fires.html]
|
||||
expected: TIMEOUT
|
||||
[Test error event fires on stylesheet link]
|
||||
expected: NOTRUN
|
||||
|
||||
[Test error event fires on inline style]
|
||||
expected: NOTRUN
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
[style-src-injected-stylesheet-blocked.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Programatically injected stylesheet should not load]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire a securitypolicyviolation event]
|
||||
expected: NOTRUN
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
[style-src-none-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Should not stylesheet when style-src is 'none']
|
||||
expected: FAIL
|
||||
|
||||
[Should fire a securitypolicyviolation event]
|
||||
expected: NOTRUN
|
||||
|
|
|
|||
3
tests/wpt/meta/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html.ini
vendored
Normal file
3
tests/wpt/meta/content-security-policy/style-src/style-src-stylesheet-nonce-allowed.html.ini
vendored
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
[style-src-stylesheet-nonce-allowed.html]
|
||||
[Stylesheet link should load with correct nonce]
|
||||
expected: FAIL
|
||||
|
|
@ -1,7 +1,4 @@
|
|||
[style-src-stylesheet-nonce-blocked.html]
|
||||
expected: TIMEOUT
|
||||
[Should not load stylesheet without correct nonce]
|
||||
expected: FAIL
|
||||
|
||||
[Should fire a securitypolicyviolation event]
|
||||
expected: NOTRUN
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
[dedicated-none.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Same-origin dedicated worker blocked by host-source expression.]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
||||
[blob: dedicated worker blocked by 'blob:'.]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
[dedicated-worker-src-child-fallback-blocked.sub.html]
|
||||
expected: TIMEOUT
|
||||
[Same-origin dedicated worker allowed by worker-src 'self'.]
|
||||
expected: FAIL
|
||||
expected: TIMEOUT
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue