mirror of
https://github.com/servo/servo.git
synced 2025-08-09 15:35:34 +01:00
baa18e18af
This turned out to be a full rabbit hole. The new header is parsed in the new `parse_csp_list_from_metadata` which sets `disposition` to `report. I was testing this with `script-src-report-only-policy-works-with-external-hash-policy.html` which was blocking the script incorrectly. Turns out that there were multiple bugs in the CSP library, as well as a missing check in `fetch` to report violations. Additionally, in several locations we were manually reporting csp violations, instead of the new `global.report_csp_violations`. As a result of that, they would double report, since the report-only header would be appended as a policy and now would report twice. Now, all callsides use `global.report_csp_violations`. As a nice side-effect, I added the code to set source file information, since that was already present for the `eval` check, but nowhere else. Part of #36437 Requires servo/rust-content-security-policy#5 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
79 lines
2.6 KiB
INI
Vendored
79 lines
2.6 KiB
INI
Vendored
[prefetch-generate-directives.html]
|
|
expected: TIMEOUT
|
|
[Test that script-src enabled with everything else disabled allows prefetching]
|
|
expected: TIMEOUT
|
|
|
|
[Test that script-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that img-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that img-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that connect-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that connect-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that object-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that object-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that font-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that font-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that manifest-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that manifest-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that media-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that media-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that style-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that style-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that child-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that child-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that frame-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that frame-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that worker-src enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that worker-src enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that base-uri enabled with everything else disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that base-uri enabled with default-src disabled allows prefetching]
|
|
expected: NOTRUN
|
|
|
|
[Test that permissive script-src-elem supersedes script-src]
|
|
expected: NOTRUN
|
|
|
|
[Test that permissive script-src supersedes script-src-elem]
|
|
expected: NOTRUN
|