Bug 1910377 [wpt PR 47328] - [CSP] Use null origin in frame-ancestors violation reports, a=testonly

Automatic update from web-platform-tests [CSP] Use null origin in frame-ancestors violation reports Frame-ancestors violation reports are sent in Chrome through the renderer of the embedding frame. However, the outgoing requests for these reports should not have the Origin header set to the header of the embedder. Bug: 354894364 Change-Id: I8fd165aa12a5774afea359f79df7ee1e355e4412 Cq-Do-Not-Cancel-Tryjobs: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5743298 Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1334189} -- wpt-commits: 14c2373a0cd191da76b28b9b24c7ddf379ac090e wpt-pr: 47328
2024-07-30 15:55:05 +00:00 · 2024-07-30 15:55:05 +00:00 · 3d5b046a47
--- a/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors-no-parent-cookies.sub.html
+++ b/testing/web-platform/tests/content-security-policy/reporting/report-frame-ancestors-no-parent-cookies.sub.html
@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Cookies are not sent on cross origin violation reports for
+      frame-ancestors violations, even if the report-uri is same-origin
+      with the embedder.</title>
+    <meta name="timeout" content="long">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+    fetch(
+      "/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" +
+        encodeURIComponent("/"),
+      {mode: 'no-cors', credentials: 'include'})
+    .then(() => {
+
+      const iframe = document.createElement('iframe');
+      const searchParams = new URLSearchParams();
+      let reportId = "{{$id:uuid()}}";
+      searchParams.set("reportID", reportId);
+      searchParams.set("reportUriBase", "http://{{host}}:{{ports[http][0]}}");
+      iframe.src = "http://{{domains[www1]}}:{{ports[http][0]}}/" +
+        "content-security-policy/reporting/support/not-embeddable-frame.py?" +
+        searchParams.toString();
+      document.body.appendChild(iframe);
+    });
+</script>
+<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20%27none%27&noCookies=true&reportID={{$id}}'></script>
+
+</body>
+</html>
--- a/testing/web-platform/tests/content-security-policy/reporting/support/not-embeddable-frame.py
+++ b/testing/web-platform/tests/content-security-policy/reporting/support/not-embeddable-frame.py
@ -5,6 +5,7 @@ def main(request, response):

    csp_header = b'Content-Security-Policy-Report-Only' \
        if request.GET.first(b'reportOnly', None) == b'true' else b'Content-Security-Policy'
-    headers.append((csp_header, b"frame-ancestors 'none'; report-uri /reporting/resources/report.py?op=put&reportID=" + request.GET[b'reportID']))
+    report_uri_base = request.GET.first(b'reportUriBase', b'')
+    headers.append((csp_header, b"frame-ancestors 'none'; report-uri " + report_uri_base + b"/reporting/resources/report.py?op=put&reportID=" + request.GET[b'reportID']))

    return headers, b'{}'