зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1632860 [wpt PR 23230] - Fix report-to CSP directive to only allow one endpoint, a=testonly
Automatic update from web-platform-tests Fix report-to CSP directive to only allow one endpoint According to https://w3c.github.io/webappsec-csp/#directive-report-to, the Content-Security-Policy directive "report-to" should only accept one token (endpint). However, our previous implementation allowed several endpoints to be specified. Bug: 916265 Change-Id: Ie11ee736f577d015921a5291824dcedcbc790177 Fixed: 916265 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2162826 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#762813} -- wpt-commits: fa3d5b0da213daee43f5de9621a26984ef70d149 wpt-pr: 23230
This commit is contained in:
Antonio Sartori
Родитель
0364af1a6f
Коммит
35c61ed41d
|
|
@ -0,0 +1,25 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test that report-to ignores tokens after the first one</title>
|
||||
<script src='/resources/testharness.js'></script>
|
||||
<script src='/resources/testharnessreport.js'></script>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
var t1 = async_test("Test that image does not load");
|
||||
async_test(function(t2) {
|
||||
window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
|
||||
assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
|
||||
assert_equals(e.violatedDirective, "img-src");
|
||||
t2.done();
|
||||
}));
|
||||
}, "Event is fired");
|
||||
</script>
|
||||
<img src='/content-security-policy/support/fail.png'
|
||||
onload='t1.unreached_func("The image should not have loaded");'
|
||||
onerror='t1.done();'>
|
||||
<!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. -->
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Expires: Mon, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Cache-Control: post-check=0, pre-check=0, false
|
||||
Pragma: no-cache
|
||||
Set-Cookie: reporting-api-report-to-only-sends-reports-to-first-endpoint={{$id:uuid()}}; Path=/content-security-policy/reporting-api
|
||||
Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group csp-group-2
|
||||
Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{uuid()}}" }] }, { "group": "csp-group-2", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] }
|
||||
|
|
@ -20,6 +20,6 @@
|
|||
onload='t1.unreached_func("The image should not have loaded");'
|
||||
onerror='t1.done();'>
|
||||
<!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false></script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -20,6 +20,6 @@
|
|||
onload='t1.unreached_func("The image should not have loaded");'
|
||||
onerror='t1.done();'>
|
||||
<!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false></script>
|
||||
<script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче