diff --git a/Cargo.lock b/Cargo.lock index 4de05aa416e..4928ea1be00 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1232,7 +1232,7 @@ dependencies = [ [[package]] name = "content-security-policy" version = "0.5.4" -source = "git+https://github.com/servo/rust-content-security-policy/?branch=servo-csp#827eea44ec0f3d91457d1c0467881cb4f9752520" +source = "git+https://github.com/servo/rust-content-security-policy/?branch=servo-csp#81f95254fbfe98dd6e130260fd872cf950de9fcd" dependencies = [ "base64 0.22.1", "bitflags 2.9.0", diff --git a/Cargo.toml b/Cargo.toml index cd2cbb54b63..21bc94bcfda 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -243,3 +243,7 @@ codegen-units = 1 # # [patch."https://github.com/servo/"] # = { path = "/path/to/local/checkout" } +# +# [patch."https://github.com/servo/rust-content-security-policy"] +# content-security-policy = { path = "../rust-content-security-policy/" } +# content-security-policy = { git = "https://github.com/timvdlippe/rust-content-security-policy/", branch = "fix-report-checks", features = ["serde"] } diff --git a/components/net/fetch/methods.rs b/components/net/fetch/methods.rs index 53bc2817292..b1ad01b81e0 100644 --- a/components/net/fetch/methods.rs +++ b/components/net/fetch/methods.rs @@ -23,8 +23,8 @@ use net_traits::http_status::HttpStatus; use net_traits::policy_container::{PolicyContainer, RequestPolicyContainer}; use net_traits::request::{ BodyChunkRequest, BodyChunkResponse, CredentialsMode, Destination, Initiator, - InsecureRequestsPolicy, Origin, RedirectMode, Referrer, Request, RequestMode, ResponseTainting, - Window, is_cors_safelisted_method, is_cors_safelisted_request_header, + InsecureRequestsPolicy, Origin, ParserMetadata, RedirectMode, Referrer, Request, RequestMode, + ResponseTainting, Window, is_cors_safelisted_method, is_cors_safelisted_request_header, }; use net_traits::response::{Response, ResponseBody, ResponseType}; use net_traits::{ @@ -169,6 +169,29 @@ pub async fn fetch_with_cors_cache( // TODO: We don't implement fetchParams as defined in the spec } +fn convert_request_to_csp_request(request: &Request, origin: &ImmutableOrigin) -> csp::Request { + csp::Request { + url: request.url().into_url(), + origin: origin.clone().into_url_origin(), + redirect_count: request.redirect_count, + destination: request.destination, + initiator: match request.initiator { + Initiator::Download => csp::Initiator::Download, + Initiator::ImageSet => csp::Initiator::ImageSet, + Initiator::Manifest => csp::Initiator::Manifest, + Initiator::Prefetch => csp::Initiator::Prefetch, + _ => csp::Initiator::None, + }, + nonce: request.cryptographic_nonce_metadata.clone(), + integrity_metadata: request.integrity_metadata.clone(), + parser_metadata: match request.parser_metadata { + ParserMetadata::ParserInserted => csp::ParserMetadata::ParserInserted, + ParserMetadata::NotParserInserted => csp::ParserMetadata::NotParserInserted, + ParserMetadata::Default => csp::ParserMetadata::None, + }, + } +} + /// pub fn should_request_be_blocked_by_csp( request: &Request, @@ -178,17 +201,7 @@ pub fn should_request_be_blocked_by_csp( Origin::Client => return (csp::CheckResult::Allowed, Vec::new()), Origin::Origin(origin) => origin, }; - - let csp_request = csp::Request { - url: request.url().into_url(), - origin: origin.clone().into_url_origin(), - redirect_count: request.redirect_count, - destination: request.destination, - initiator: csp::Initiator::None, - nonce: request.cryptographic_nonce_metadata.clone(), - integrity_metadata: request.integrity_metadata.clone(), - parser_metadata: csp::ParserMetadata::None, - }; + let csp_request = convert_request_to_csp_request(request, origin); policy_container .csp_list @@ -197,6 +210,24 @@ pub fn should_request_be_blocked_by_csp( .unwrap_or((csp::CheckResult::Allowed, Vec::new())) } +/// +pub fn report_violations_for_request_by_csp( + request: &Request, + policy_container: &PolicyContainer, +) -> Vec { + let origin = match &request.origin { + Origin::Client => return Vec::new(), + Origin::Origin(origin) => origin, + }; + let csp_request = convert_request_to_csp_request(request, origin); + + policy_container + .csp_list + .as_ref() + .map(|c| c.report_violations_for_request(&csp_request)) + .unwrap_or_default() +} + /// [Main fetch](https://fetch.spec.whatwg.org/#concept-main-fetch) pub async fn main_fetch( fetch_params: &mut FetchParams, @@ -232,9 +263,6 @@ pub async fn main_fetch( ))); } - // Step 2.2. - // TODO: Report violations. - // The request should have a valid policy_container associated with it. // TODO: This should not be `Client` here let policy_container = match &request.policy_container { @@ -242,6 +270,13 @@ pub async fn main_fetch( RequestPolicyContainer::PolicyContainer(container) => container.to_owned(), }; + // Step 2.2. + let violations = report_violations_for_request_by_csp(request, &policy_container); + + if !violations.is_empty() { + target.process_csp_violations(request, violations); + } + // Step 3. // TODO: handle request abort. diff --git a/components/script/dom/globalscope.rs b/components/script/dom/globalscope.rs index 77d1ee37c03..b3345b90fc0 100644 --- a/components/script/dom/globalscope.rs +++ b/components/script/dom/globalscope.rs @@ -2422,7 +2422,8 @@ impl GlobalScope { headers: &Option>, ) -> Option { // TODO: Implement step 1 (local scheme special case) - let mut csp = headers.as_ref()?.get_all("content-security-policy").iter(); + let headers = headers.as_ref()?; + let mut csp = headers.get_all("content-security-policy").iter(); // This silently ignores the CSP if it contains invalid Unicode. // We should probably report an error somewhere. let c = csp.next().and_then(|c| c.to_str().ok())?; @@ -2435,6 +2436,19 @@ impl GlobalScope { PolicyDisposition::Enforce, )); } + let csp_report = headers + .get_all("content-security-policy-report-only") + .iter(); + // This silently ignores the CSP if it contains invalid Unicode. + // We should probably report an error somewhere. + for c in csp_report { + let c = c.to_str().ok()?; + csp_list.append(CspList::parse( + c, + PolicySource::Header, + PolicyDisposition::Report, + )); + } Some(csp_list) } @@ -2822,36 +2836,16 @@ impl GlobalScope { })) } - #[allow(unsafe_code)] - pub(crate) fn is_js_evaluation_allowed(&self, cx: SafeJSContext) -> bool { + pub(crate) fn is_js_evaluation_allowed(&self, source: &str) -> bool { let Some(csp_list) = self.get_csp_list() else { return true; }; - let scripted_caller = unsafe { describe_scripted_caller(*cx) }.unwrap_or_default(); - let is_js_evaluation_allowed = csp_list.is_js_evaluation_allowed() == CheckResult::Allowed; + let (is_js_evaluation_allowed, violations) = csp_list.is_js_evaluation_allowed(source); - if !is_js_evaluation_allowed { - // FIXME: Don't fire event if `script-src` and `default-src` - // were not passed. - for policy in csp_list.0 { - let report = CSPViolationReportBuilder::default() - .resource("eval".to_owned()) - .effective_directive("script-src".to_owned()) - .report_only(policy.disposition == PolicyDisposition::Report) - .source_file(scripted_caller.filename.clone()) - .line_number(scripted_caller.line) - .column_number(scripted_caller.col) - .build(self); - let task = CSPViolationReportTask::new(self, report); + self.report_csp_violations(violations); - self.task_manager() - .dom_manipulation_task_source() - .queue(task); - } - } - - is_js_evaluation_allowed + is_js_evaluation_allowed == CheckResult::Allowed } pub(crate) fn create_image_bitmap( @@ -3464,10 +3458,13 @@ impl GlobalScope { unreachable!(); } + #[allow(unsafe_code)] pub(crate) fn report_csp_violations(&self, violations: Vec) { + let scripted_caller = + unsafe { describe_scripted_caller(*GlobalScope::get_cx()) }.unwrap_or_default(); for violation in violations { let (sample, resource) = match violation.resource { - ViolationResource::Inline { .. } => (None, "inline".to_owned()), + ViolationResource::Inline { sample } => (sample, "inline".to_owned()), ViolationResource::Url(url) => (None, url.into()), ViolationResource::TrustedTypePolicy { sample } => { (Some(sample), "trusted-types-policy".to_owned()) @@ -3475,6 +3472,8 @@ impl GlobalScope { ViolationResource::TrustedTypeSink { sample } => { (Some(sample), "trusted-types-sink".to_owned()) }, + ViolationResource::Eval { sample } => (sample, "eval".to_owned()), + ViolationResource::WasmEval => (None, "wasm-eval".to_owned()), }; let report = CSPViolationReportBuilder::default() .resource(resource) @@ -3482,6 +3481,9 @@ impl GlobalScope { .effective_directive(violation.directive.name) .original_policy(violation.policy.to_string()) .report_only(violation.policy.disposition == PolicyDisposition::Report) + .source_file(scripted_caller.filename.clone()) + .line_number(scripted_caller.line) + .column_number(scripted_caller.col + 1) .build(self); let task = CSPViolationReportTask::new(self, report); self.task_manager() diff --git a/components/script/script_runtime.rs b/components/script/script_runtime.rs index d6832a644ec..1f05c15d74e 100644 --- a/components/script/script_runtime.rs +++ b/components/script/script_runtime.rs @@ -19,7 +19,7 @@ use std::time::{Duration, Instant}; use std::{os, ptr, thread}; use background_hang_monitor_api::ScriptHangAnnotation; -use content_security_policy::{CheckResult, PolicyDisposition}; +use content_security_policy::CheckResult; use js::conversions::jsstr_to_string; use js::glue::{ CollectServoSizes, CreateJobQueue, DeleteJobQueue, DispatchableRun, JobQueueTraps, @@ -45,7 +45,7 @@ pub(crate) use js::rust::ThreadSafeJSContext; use js::rust::wrappers::{GetPromiseIsHandled, JS_GetPromiseResult}; use js::rust::{ Handle, HandleObject as RustHandleObject, IntoHandle, JSEngine, JSEngineHandle, ParentRuntime, - Runtime as RustRuntime, describe_scripted_caller, + Runtime as RustRuntime, }; use malloc_size_of::MallocSizeOfOps; use malloc_size_of_derive::MallocSizeOf; @@ -82,7 +82,6 @@ use crate::microtask::{EnqueuedPromiseCallback, Microtask, MicrotaskQueue}; use crate::realms::{AlreadyInRealm, InRealm}; use crate::script_module::EnsureModuleHooksInitialized; use crate::script_thread::trace_thread; -use crate::security_manager::{CSPViolationReportBuilder, CSPViolationReportTask}; use crate::task_source::SendableTaskSource; static JOB_QUEUE_TRAPS: JobQueueTraps = JobQueueTraps { @@ -373,10 +372,6 @@ unsafe extern "C" fn content_security_policy_allows( let cx = JSContext::from_ptr(cx); wrap_panic(&mut || { // SpiderMonkey provides null pointer when executing webassembly. - let sample = match sample { - sample if !sample.is_null() => Some(jsstr_to_string(*cx, *sample)), - _ => None, - }; let in_realm_proof = AlreadyInRealm::assert_for_cx(cx); let global = GlobalScope::from_context(*cx, InRealm::Already(&in_realm_proof)); let Some(csp_list) = global.get_csp_list() else { @@ -384,43 +379,19 @@ unsafe extern "C" fn content_security_policy_allows( return; }; - let is_js_evaluation_allowed = csp_list.is_js_evaluation_allowed() == CheckResult::Allowed; - let is_wasm_evaluation_allowed = - csp_list.is_wasm_evaluation_allowed() == CheckResult::Allowed; - let scripted_caller = describe_scripted_caller(*cx).unwrap_or_default(); - - let resource = match runtime_code { - RuntimeCode::JS => "eval".to_owned(), - RuntimeCode::WASM => "wasm-eval".to_owned(), + let (is_evaluation_allowed, violations) = match runtime_code { + RuntimeCode::JS => { + let source = match sample { + sample if !sample.is_null() => &jsstr_to_string(*cx, *sample), + _ => "", + }; + csp_list.is_js_evaluation_allowed(source) + }, + RuntimeCode::WASM => csp_list.is_wasm_evaluation_allowed(), }; - allowed = match runtime_code { - RuntimeCode::JS if is_js_evaluation_allowed => true, - RuntimeCode::WASM if is_wasm_evaluation_allowed => true, - _ => false, - }; - - if !allowed { - // FIXME: Don't fire event if `script-src` and `default-src` - // were not passed. - for policy in csp_list.0 { - let report = CSPViolationReportBuilder::default() - .resource(resource.clone()) - .sample(sample.clone()) - .report_only(policy.disposition == PolicyDisposition::Report) - .source_file(scripted_caller.filename.clone()) - .line_number(scripted_caller.line) - .column_number(scripted_caller.col) - .effective_directive("script-src".to_owned()) - .build(&global); - let task = CSPViolationReportTask::new(&global, report); - - global - .task_manager() - .dom_manipulation_task_source() - .queue(task); - } - } + global.report_csp_violations(violations); + allowed = is_evaluation_allowed == CheckResult::Allowed; }); allowed } diff --git a/components/script/timers.rs b/components/script/timers.rs index 244aa2df4ed..0afc3da164a 100644 --- a/components/script/timers.rs +++ b/components/script/timers.rs @@ -421,8 +421,7 @@ impl JsTimers { ) -> i32 { let callback = match callback { TimerCallback::StringTimerCallback(code_str) => { - let cx = GlobalScope::get_cx(); - if global.is_js_evaluation_allowed(cx) { + if global.is_js_evaluation_allowed(code_str.as_ref()) { InternalTimerCallback::StringTimerCallback(code_str) } else { return 0; diff --git a/tests/wpt/meta/content-security-policy/default-src/default-src-sri_hash.sub.html.ini b/tests/wpt/meta/content-security-policy/default-src/default-src-sri_hash.sub.html.ini index b86623fcf06..ee237b70bc4 100644 --- a/tests/wpt/meta/content-security-policy/default-src/default-src-sri_hash.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/default-src/default-src-sri_hash.sub.html.ini @@ -2,8 +2,11 @@ [multiple matching integrity] expected: FAIL - [partially matching integrity] + [matching integrity] expected: FAIL - [External script in a script tag with matching SRI hash should run.] + [matching integrity (case-insensitive algorithm)] + expected: FAIL + + [matching plus unsupported integrity] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini b/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini deleted file mode 100644 index f4f10d1a85c..00000000000 --- a/tests/wpt/meta/content-security-policy/generic/304-response-should-update-csp.sub.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[304-response-should-update-csp.sub.html] - [Test that the first frame does not use nonce def] - expected: FAIL - - [Test that the second frame does not use nonce abc] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/img-src/img-src-self-unique-origin.html.ini b/tests/wpt/meta/content-security-policy/img-src/img-src-self-unique-origin.html.ini deleted file mode 100644 index f5ccd49ccee..00000000000 --- a/tests/wpt/meta/content-security-policy/img-src/img-src-self-unique-origin.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[img-src-self-unique-origin.html] - expected: TIMEOUT - [Image's url must not match with 'self'. Image must be blocked.] - expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/resource-hints/prefetch-generate-directives.html.ini b/tests/wpt/meta/content-security-policy/resource-hints/prefetch-generate-directives.html.ini index 7843cf2984c..df10ea63fd6 100644 --- a/tests/wpt/meta/content-security-policy/resource-hints/prefetch-generate-directives.html.ini +++ b/tests/wpt/meta/content-security-policy/resource-hints/prefetch-generate-directives.html.ini @@ -1,19 +1,19 @@ [prefetch-generate-directives.html] expected: TIMEOUT [Test that script-src enabled with everything else disabled allows prefetching] - expected: FAIL + expected: TIMEOUT [Test that script-src enabled with default-src disabled allows prefetching] - expected: FAIL + expected: NOTRUN [Test that img-src enabled with everything else disabled allows prefetching] - expected: FAIL + expected: NOTRUN [Test that img-src enabled with default-src disabled allows prefetching] - expected: FAIL + expected: NOTRUN [Test that connect-src enabled with everything else disabled allows prefetching] - expected: TIMEOUT + expected: NOTRUN [Test that connect-src enabled with default-src disabled allows prefetching] expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini deleted file mode 100644 index 6ff412416ae..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[script-src-report-only-policy-works-with-external-hash-policy.html] - [Should fire securitypolicyviolation event] - expected: FAIL - - [External script in a script tag with matching SRI hash should run.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini index 7ce862f5a16..3324bf91bd7 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini @@ -2,8 +2,11 @@ [multiple matching integrity] expected: FAIL - [partially matching integrity] + [matching integrity] expected: FAIL - [External script in a script tag with matching SRI hash should run.] + [matching integrity (case-insensitive algorithm)] + expected: FAIL + + [matching plus unsupported integrity] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.ini deleted file mode 100644 index 63cfa444854..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[script-src-strict_dynamic_discard_source_expressions.html] - [Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini deleted file mode 100644 index c9d74462151..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html] - [Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini index 44bc930f887..67a423f9b8a 100644 --- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini +++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini @@ -1,29 +1,5 @@ [script-src-strict_dynamic_parser_inserted.html] expected: TIMEOUT - [Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.] - expected: FAIL - - [Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.] - expected: TIMEOUT - [Script injected via `innerHTML` is not allowed with `strict-dynamic`.] expected: TIMEOUT diff --git a/tests/wpt/meta/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.ini b/tests/wpt/meta/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.ini index da41ac13664..f84e31682d3 100644 --- a/tests/wpt/meta/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.ini +++ b/tests/wpt/meta/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html.ini @@ -1,8 +1,5 @@ [upgrade-insecure-requests-reporting.https.html] expected: TIMEOUT - [Upgraded image is reported] - expected: TIMEOUT - [Upgraded iframe is reported] expected: TIMEOUT diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini deleted file mode 100644 index 097af84d4ee..00000000000 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini +++ /dev/null @@ -1,30 +0,0 @@ -[should-trusted-type-policy-creation-be-blocked-by-csp-001.html] - [single report-only policy with directive "trusted-type tt-policy-name"] - expected: FAIL - - [single report-only policy with directive "trusted-type *"] - expected: FAIL - - [single report-only policy with directive "trusted-type 'none'"] - expected: FAIL - - [single report-only policy with directive "trusted-type 'allow-duplicates'"] - expected: FAIL - - [single report-only policy with directive "trusted-type tt-policy-name 'allow-duplicates'"] - expected: FAIL - - [single report-only policy with directive "trusted-type 'none' 'allow-duplicates'"] - expected: FAIL - - [single report-only policy with directive "trusted-type 'none' tt-policy-name"] - expected: FAIL - - [single report-only policy with directive "trusted-type 'none' *"] - expected: FAIL - - [single report-only policy with directive "trusted-type tt-policy-name *"] - expected: FAIL - - [single report-only policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini index b42c980eebc..65aaf704101 100644 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini +++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini @@ -1,8 +1,5 @@ [should-trusted-type-policy-creation-be-blocked-by-csp-002.html] expected: TIMEOUT - [invalid tt-policy-name name "policy name"] - expected: FAIL - [invalid tt-policy-name name "policy*name"] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-003.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-003.html.ini deleted file mode 100644 index d18359a0c91..00000000000 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-003.html.ini +++ /dev/null @@ -1,15 +0,0 @@ -[should-trusted-type-policy-creation-be-blocked-by-csp-003.html] - [Multiple report-only trusted-types directives.] - expected: FAIL - - [One violated report-only trusted-types directive followed by multiple enforce directives.] - expected: FAIL - - [One violated enforce trusted-types directive followed by multiple report-only directives.] - expected: FAIL - - [Mixing enforce and report-only policies with trusted-types directives] - expected: FAIL - - [Mixing enforce and report-only policies with trusted-types directives (duplicate policy)] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-004-worker.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-004-worker.html.ini deleted file mode 100644 index e9ae8caa720..00000000000 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-004-worker.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[should-trusted-type-policy-creation-be-blocked-by-csp-004-worker.html] - [Exception and violations for CSP with multiple enforce and report-only policies.] - expected: FAIL - - [Location of trusted-types violations.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-005.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-005.html.ini deleted file mode 100644 index 7a8b7095515..00000000000 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-005.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[should-trusted-type-policy-creation-be-blocked-by-csp-005.html] - [Location of trusted-types violations.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.ini b/tests/wpt/meta/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.ini index 927b135f628..d3440d323c2 100644 --- a/tests/wpt/meta/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.ini +++ b/tests/wpt/meta/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.ini @@ -4,6 +4,3 @@ [Trusted Type violation report: evaluating a Trusted Script violates script-src.] expected: FAIL - - [Trusted Type violation report: script-src restrictions apply after the default policy runs.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting.html.ini index 8347bf66f28..27c9a258d53 100644 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting.html.ini +++ b/tests/wpt/meta/trusted-types/trusted-types-reporting.html.ini @@ -1,7 +1,4 @@ [trusted-types-reporting.html] - [Trusted Type violation report: creating a forbidden policy.] - expected: FAIL - [Trusted Type violation report: creating a report-only-forbidden policy.] expected: FAIL