Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-30 08:39:16 +01:00
Code Issues Projects Releases Packages Wiki Activity

Correct event_target for CSP violations (#36887)

Browse source 
All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.

Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).

Fixes #36806

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-08 12:46:31 +02:00 committed by GitHub
parent f3f4cc5500
commit b6b80d4f6f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
56 changed files with 167 additions and 193 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.http.html]
[Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.https.html]
[Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.http.html]
[Content Security Policy: Expects blocked for script-tag to cross-http origin and keep-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and no-redirect redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-http origin and swap-origin redirection from http context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
expected: FAIL

9
tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html.ini vendored
View file

@ -1,13 +1,4 @@
[script-tag.https.html]
[Content Security Policy: Expects blocked for script-tag to cross-https origin and keep-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and no-redirect redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to cross-https origin and swap-origin redirection from https context.: securitypolicyviolation]
expected: FAIL
[Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
expected: FAIL

13
tests/wpt/meta/content-security-policy/navigation/to-javascript-url-script-src.html.ini vendored
View file

@ -1,13 +0,0 @@
[to-javascript-url-script-src.html]
expected: TIMEOUT
[<iframe src='javascript:'> blocked without 'unsafe-inline'.]
expected: TIMEOUT
[<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.]
expected: NOTRUN
[<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document]
expected: NOTRUN
[<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.]
expected: NOTRUN

6
tests/wpt/meta/content-security-policy/reporting/report-original-url.sub.html.ini vendored
View file

@ -1,11 +1,5 @@
[report-original-url.sub.html]
expected: TIMEOUT
[Direct block, same-origin = full URL in report]
expected: TIMEOUT
[Direct block, cross-origin = full URL in report]
expected: TIMEOUT
[Block after redirect, same-origin = original URL in report]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini vendored
View file

@ -1,4 +0,0 @@
[script-src-report-only-policy-works-with-hash-policy.html]
expected: TIMEOUT
[Test that the securitypolicyviolation event is fired]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-eval.html.ini vendored
View file

@ -1,4 +0,0 @@
[blockeduri-eval.html]
expected: TIMEOUT
[Eval violations have a blockedURI of 'eval']
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini vendored
View file

@ -1,4 +1,3 @@
[blockeduri-inline.html]
expected: TIMEOUT
[Inline violations have a blockedURI of 'inline']
expected: TIMEOUT
expected: FAIL

12
tests/wpt/meta/content-security-policy/securitypolicyviolation/blockeduri-ws-wss-scheme.html.ini vendored
View file

@ -1,13 +1,3 @@
[blockeduri-ws-wss-scheme.html]
expected: TIMEOUT
[ws]
expected: FAIL
[wss]
expected: FAIL
[cross-origin]
expected: FAIL
[redirect]
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/linenumber.tentative.html.ini vendored
View file

@ -1,4 +1,3 @@
[linenumber.tentative.html]
expected: TIMEOUT
[linenumber]
expected: NOTRUN
expected: FAIL

8
tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini vendored
View file

@ -1,13 +1,7 @@
[script-sample-no-opt-in.html]
expected: TIMEOUT
[Inline script should not have a sample.]
[JavaScript URLs in iframes should not have a sample.]
expected: TIMEOUT
[Inline event handlers should not have a sample.]
expected: TIMEOUT
[JavaScript URLs in iframes should not have a sample.]
expected: TIMEOUT
[eval()-alikes should not have a sample.]
expected: TIMEOUT

14
tests/wpt/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini vendored
View file

@ -1,19 +1,7 @@
[script-sample.html]
expected: TIMEOUT
[Inline script should have a sample.]
[JavaScript URLs in iframes should have a sample.]
expected: TIMEOUT
[Inline event handlers should have a sample.]
expected: TIMEOUT
[JavaScript URLs in iframes should have a sample.]
expected: TIMEOUT
[eval() should have a sample.]
expected: TIMEOUT
[setInterval() should have a sample.]
expected: TIMEOUT
[setTimeout() should have a sample.]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html.ini vendored
View file

@ -1,4 +1,3 @@
[source-file-blob-scheme.html]
expected: TIMEOUT
[Violations from data:-URL scripts have a sourceFile of 'blob']
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/source-file-data-scheme.html.ini vendored
View file

@ -1,4 +1,3 @@
[source-file-data-scheme.html]
expected: TIMEOUT
[Violations from data:-URL scripts have a sourceFile of 'data']
expected: TIMEOUT
expected: FAIL

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-sample-no-opt-in.html]
expected: TIMEOUT
[Inline style blocks should not have a sample.]
expected: TIMEOUT
[Inline style attributes should not have a sample.]
expected: TIMEOUT

3
tests/wpt/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-sample.html]
expected: TIMEOUT
[Inline style blocks should have a sample.]
expected: TIMEOUT
[Inline style attributes should have a sample.]
expected: TIMEOUT

5
tests/wpt/meta/content-security-policy/securitypolicyviolation/targeting.html.ini vendored
View file

@ -4,13 +4,10 @@
expected: NOTRUN
[Inline violations target the right element.]
expected: TIMEOUT
expected: FAIL
[Correct targeting inside shadow tree (inline handler).]
expected: TIMEOUT
[Correct targeting inside shadow tree (style).]
expected: TIMEOUT
[Elements created in this document, but pushed into a same-origin frame trigger on that frame's document, not on this frame's document.]
expected: TIMEOUT

4
tests/wpt/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-hash-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-imported-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-imported-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-injected-inline-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-injected-stylesheet-blocked.sub.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-inline-style-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-inline-style-nonce-blocked-error-event.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN
[Test that paragraph remains unmodified and error events received.]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-inline-style-nonce-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-none-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-none-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN

4
tests/wpt/meta/content-security-policy/style-src/style-src-stylesheet-nonce-blocked.html.ini vendored
View file

@ -1,4 +0,0 @@
[style-src-stylesheet-nonce-blocked.html]
expected: TIMEOUT
[Should fire a securitypolicyviolation event]
expected: NOTRUN