Should "Should navigation request of type be blocked by Content Security Policy?" set the violation object's element? #687
Comments
moz-wptsync-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 30, 2024
…o promise-tests and remove checking the securitypolicyevent's target element. Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1919248 gecko-commit: b941985be92395c909b233ecfbba356f6d0db149 gecko-reviewers: smaug
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Oct 30, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160
moz-wptsync-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 30, 2024
…o promise-tests and remove checking the securitypolicyevent's target element. Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1919248 gecko-commit: b941985be92395c909b233ecfbba356f6d0db149 gecko-reviewers: smaug
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Oct 31, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Nov 1, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160 UltraBlame original commit: b941985be92395c909b233ecfbba356f6d0db149
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Nov 1, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160 UltraBlame original commit: b941985be92395c909b233ecfbba356f6d0db149
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Nov 1, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160 UltraBlame original commit: b941985be92395c909b233ecfbba356f6d0db149
i3roly
pushed a commit
to i3roly/firefox-dynasty
that referenced
this issue
Nov 1, 2024
…c sub-tests to promise-tests and remove checking the securitypolicyevent's target element. r=smaug Gecko doesn't set the securitypolicyevent violation's target element, which prevented the async tests from passing with Gecko. Setting the violation's target element isn't specified ( w3c/webappsec-csp#687). Promise-based tests allow removing checking the target element, because the tests are run in sequence (https://web-platform-tests.org/writing-tests/testharness-api.html#promise-tests). Differential Revision: https://phabricator.services.mozilla.com/D227160
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 creates and populates violation objects in steps 2.1.2 - 2.1.3 and 3.1.1.3 - 3.1.1.4. It does not set the violation object's element 2. Consequently, when reporting the violation 3,
targetfor the "securitypolicyviolation" event is specified to be the Window's document when the global object is a Window; by steps 2, 3.1 - 3.2 of 3.Chrome's and WebKit's behavior differs: the element causing the violation is set. E.g. in 4 it's an iframe element. See 5 for the different browsers' results.
Footnotes
https://www.w3.org/TR/CSP3/#should-block-navigation-request ↩
https://www.w3.org/TR/CSP3/#violation-element ↩
https://www.w3.org/TR/CSP3/#report-violation ↩ ↩2
https://searchfox.org/mozilla-central/rev/dca2603d55b5b39d3b8ab8e93c08b42563f5aad8/testing/web-platform/tests/content-security-policy/navigation/to-javascript-url-script-src.html#13,36,39 ↩
https://wpt.fyi/results/content-security-policy/navigation/to-javascript-url-script-src.html?label=experimental&label=master&aligned ↩
The text was updated successfully, but these errors were encountered: