Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-22 04:40:09 +01:00
Code Issues Projects Releases Packages Wiki Activity

Correct event_target for CSP violations (#36887)

Browse source 
All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.

Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).

Fixes #36806

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-08 12:46:31 +02:00 committed by GitHub
parent f3f4cc5500
commit b6b80d4f6f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
56 changed files with 167 additions and 193 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tests/wpt/meta/MANIFEST.json vendored
View file

@ -569742,7 +569742,7 @@
]
],
"icon-blocked.sub.html": [
"cc882347a1ac7b595275c2263ef266826e6f07bd",
"4c39e5dec735c10635a603356367610d3aad3fa2",
[
null,
{}
@ -569797,6 +569797,13 @@
{}
]
],
"img-src-targeting.html": [
"3b4fe7c690b0b980a9626de0deb02c8950f5d4a0",
[
null,
{}
]
],
"img-src-wildcard-allowed.html": [
"050a4d14100bb1ef719d6700bfbd37a97424af59",
[

9
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.http.html]
[Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.https.html]
[Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.http.html]
[Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.https.html]
[Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
expected: FAIL

13
tests/wpt/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini vendored
View file

@ -1,13 +0,0 @@
[to-javascript-url-script-src.html]
expected: TIMEOUT
[<iframe src='javascript:'> blocked without 'unsafe-inline'.]
expected: TIMEOUT
[<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.]
expected: NOTRUN
[<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document]
expected: NOTRUN
[<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.]
expected: NOTRUN

6
tests/wpt/meta/content-security-policy/reporting/report-original-url.sub.html.ini vendored
View file

@ -1,11 +1,5 @@
[report-original-url.sub.html]
expected: TIMEOUT
[Direct block, same-origin = full URL in report]
expected: TIMEOUT
[Direct block, cross-origin = full URL in report]
expected: TIMEOUT
[Block after redirect, same-origin = original URL in report]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini vendored
View file

@ -1,4 +0,0 @@
[script-src-report-only-policy-works-with-hash-policy.html]
expected: TIMEOUT
[Test that the securitypolicyviolation event is fired]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-eval.html.ini vendored
View file

@ -1,4 +0,0 @@
[blockeduri-eval.html]
expected: TIMEOUT
[Eval violations have a blockedURI of 'eval']
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini vendored
View file

@ -1,4 +1,3 @@
[blockeduri-inline.html]
expected: TIMEOUT
[Inline violations have a blockedURI of 'inline']
expected: TIMEOUT
expected: FAIL

12
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-ws-wss-scheme.html.ini vendored
View file

@ -1,13 +1,3 @@
[blockeduri-ws-wss-scheme.html]
expected: TIMEOUT
[ws]
expected: FAIL
[wss]
expected: FAIL
[cross-origin]
expected: FAIL
[redirect]
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/linenumber.tentative.html.ini vendored
View file

@ -1,4 +1,3 @@
[linenumber.tentative.html]
expected: TIMEOUT
[linenumber]
expected: NOTRUN
expected: FAIL

8
tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini vendored
View file

@ -1,13 +1,7 @@
[script-sample-no-opt-in.html]
expected: TIMEOUT
[Inline script should not have a sample.]
[JavaScript URLs in iframes should not have a sample.]
expected: TIMEOUT
[Inline event handlers should not have a sample.]
expected: TIMEOUT
[JavaScript URLs in iframes should not have a sample.]
expected: TIMEOUT
[eval()-alikes should not have a sample.]
expected: TIMEOUT

14
tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini vendored
View file

@ -1,19 +1,7 @@
[script-sample.html]
expected: TIMEOUT
[Inline script should have a sample.]
[JavaScript URLs in iframes should have a sample.]
expected: TIMEOUT
[Inline event handlers should have a sample.]
expected: TIMEOUT
[JavaScript URLs in iframes should have a sample.]
expected: TIMEOUT
[eval() should have a sample.]
expected: TIMEOUT
[setInterval() should have a sample.]
expected: TIMEOUT
[setTimeout() should have a sample.]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html.ini vendored
View file

@ -1,4 +1,3 @@
[source-file-blob-scheme.html]
expected: TIMEOUT
[Violations from data:-URL scripts have a sourceFile of 'blob']
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/source-file-data-scheme.html.ini vendored
View file

@ -1,4 +1,3 @@
[source-file-data-scheme.html]
expected: TIMEOUT
[Violations from data:-URL scripts have a sourceFile of 'data']
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-sample-no-opt-in.html]
expected: TIMEOUT
[Inline style blocks should not have a sample.]
expected: TIMEOUT
[Inline style attributes should not have a sample.]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-sample.html]
expected: TIMEOUT
[Inline style blocks should have a sample.]
expected: TIMEOUT
[Inline style attributes should have a sample.]
expected: TIMEOUT

5
tests/wpt/meta/content-security-policy/securitypolicyviolation/targeting.html.ini vendored
View file

@ -4,13 +4,10 @@
expected: NOTRUN
[Inline violations target the right element.]
expected: TIMEOUT
expected: FAIL
[Correct targeting inside shadow tree (inline handler).]
expected: TIMEOUT
[Correct targeting inside shadow tree (style).]
expected: TIMEOUT
[Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document.]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-hash-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-imported-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-imported-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-injected-inline-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-injected-stylesheet-blocked.sub.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-inline-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-inline-style-nonce-blocked-error-event.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN
[Test that paragraph remains unmodified and error events received.]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-inline-style-nonce-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-none-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-none-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-stylesheet-nonce-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

10
tests/wpt/meta/fetch/metadata/report.https.sub.html.ini vendored
View file

@ -1,2 +1,10 @@
[report.https.sub.html]
expected: TIMEOUT
expected: ERROR
[same-origin report]
expected: TIMEOUT
[same-site report]
expected: TIMEOUT
[cross-site report]
expected: TIMEOUT

4
tests/wpt/meta/trusted-types/default-policy.html.ini vendored
View file

@ -1,7 +1,7 @@
[default-policy.html]
expected: TIMEOUT
expected: OK
[Count SecurityPolicyViolation events.]
expected: TIMEOUT
expected: FAIL
[div.innerHTML no default policy]
expected: FAIL

4
tests/wpt/meta/trusted-types/empty-default-policy.html.ini vendored
View file

@ -1,7 +1,7 @@
[empty-default-policy.html]
expected: TIMEOUT
expected: OK
[Count SecurityPolicyViolation events.]
expected: TIMEOUT
expected: FAIL
[div.innerHTML default]
expected: FAIL

3
tests/wpt/meta/wasm/webapi/esm-integration/script-src-blocks-wasm.tentative.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[script-src-blocks-wasm.tentative.sub.html]
[Importing a WebAssembly module should be guarded by script-src CSP.]
expected: FAIL

1
tests/wpt/tests/content-security-policy/img-src/icon-blocked.sub.html vendored
View file

@ -12,6 +12,7 @@
var t_spv = async_test("Test that spv event is fired");
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
assert_equals(e.violatedDirective, 'img-src');
assert_equals(e.target, document);
assert_true(e.blockedURI.endsWith('/support/fail.png'));
}));

24
tests/wpt/tests/content-security-policy/img-src/img-src-targeting.html vendored Normal file
View file

@ -0,0 +1,24 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none';">
<script src='/resources/testharness.js'></script>
<script src='/resources/testharnessreport.js'></script>
</head>
<body>
<p>Check that img-src sets correct target</p>
<script>
var t = async_test("Test that image does not load");
var t_spv = async_test("Test that spv event is fired");
window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
assert_equals(e.violatedDirective, 'img-src');
assert_equals(e.target, document);
assert_true(e.blockedURI.endsWith('/support/fail.png'));
}));
</script>
<img src='/content-security-policy/support/fail.png'
onload='t.step(function() { assert_unreached("Image should not have loaded"); t.done(); });'
onerror='t.done();'>
</body>
</html>