Bug 1910377 [wpt PR 47328] - [CSP] Use null origin in frame-ancestors violation reports, a=testonly

Automatic update from web-platform-tests
[CSP] Use null origin in frame-ancestors violation reports

Frame-ancestors violation reports are sent in Chrome through the
renderer of the embedding frame. However, the outgoing requests for
these reports should not have the Origin header set to the header of
the embedder.

Bug: 354894364
Change-Id: I8fd165aa12a5774afea359f79df7ee1e355e4412
Cq-Do-Not-Cancel-Tryjobs: true
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5743298
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1334189}

--

wpt-commits: 14c2373a0cd191da76b28b9b24c7ddf379ac090e
wpt-pr: 47328
This commit is contained in:
Antonio Sartori 2024-07-30 15:55:05 +00:00 коммит произвёл moz-wptsync-bot
Родитель 4bf46b7beb
Коммит 3d5b046a47
2 изменённых файлов: 35 добавлений и 1 удалений

Просмотреть файл

@ -0,0 +1,33 @@
<!DOCTYPE html>
<html>
<head>
<title>Cookies are not sent on cross origin violation reports for
frame-ancestors violations, even if the report-uri is same-origin
with the embedder.</title>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<script>
fetch(
"/cookies/resources/set-cookie.py?name=cspViolationReportCookie1&path=" +
encodeURIComponent("/"),
{mode: 'no-cors', credentials: 'include'})
.then(() => {
const iframe = document.createElement('iframe');
const searchParams = new URLSearchParams();
let reportId = "{{$id:uuid()}}";
searchParams.set("reportID", reportId);
searchParams.set("reportUriBase", "http://{{host}}:{{ports[http][0]}}");
iframe.src = "http://{{domains[www1]}}:{{ports[http][0]}}/" +
"content-security-policy/reporting/support/not-embeddable-frame.py?" +
searchParams.toString();
document.body.appendChild(iframe);
});
</script>
<script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=frame-ancestors%20%27none%27&noCookies=true&reportID={{$id}}'></script>
</body>
</html>

Просмотреть файл

@ -5,6 +5,7 @@ def main(request, response):
csp_header = b'Content-Security-Policy-Report-Only' \ csp_header = b'Content-Security-Policy-Report-Only' \
if request.GET.first(b'reportOnly', None) == b'true' else b'Content-Security-Policy' if request.GET.first(b'reportOnly', None) == b'true' else b'Content-Security-Policy'
headers.append((csp_header, b"frame-ancestors 'none'; report-uri /reporting/resources/report.py?op=put&reportID=" + request.GET[b'reportID'])) report_uri_base = request.GET.first(b'reportUriBase', b'')
headers.append((csp_header, b"frame-ancestors 'none'; report-uri " + report_uri_base + b"/reporting/resources/report.py?op=put&reportID=" + request.GET[b'reportID']))
return headers, b'{}' return headers, b'{}'