Page MenuHomePhabricator
Differential D235314

Bug 1940382 - Part 4: Remove connect-src:'none' restriction from the preload-csp.sub.html.
ClosedPublic
Actions

Authored by allstarschh on Jan 23 2025, 2:31 PM.
Tags
Referenced Files
Unknown Object (File)
Tue, Apr 14, 1:06 PM
Unknown Object (File)
Sun, Apr 12, 10:14 PM
Unknown Object (File)
Fri, Apr 10, 12:05 PM
Unknown Object (File)
Fri, Apr 10, 12:41 AM
Unknown Object (File)
Thu, Apr 9, 9:11 PM
Unknown Object (File)
Mon, Apr 6, 3:03 PM
Unknown Object (File)
Mon, Apr 6, 11:00 AM
Unknown Object (File)
Apr 6 2026, 2:15 AM
View All 27 Files
Subscribers
None

Details

Reviewers
farre
Group Reviewers
dom-core
Commits
rMOZILLACENTRAL55b5b1beb2a8: Bug 1940382 - Part 4: Remove connect-src:'none' restriction from the preload…
Bugzilla Bug ID
1940382
Summary

In the WPT PR 41665 [1],
preload-csp.sub.html was added connect-src:'none' in the CSP [2],
the reason is that the json modules will use 'connect-src' as the CSP
directive, see the destination "json" in [3].

However, this test calls "hasArrivedAtServer" to verify the result [4],
which uses 'fetch()' API. [5]

And according the CSP spec, the directive for fetch() is "connect-src" (See
the empty string in [3])

Hence the change introduced in [2] causes the call to fetch() will
violate the CSP restriction, and causes the test failed on all browser
vendors. [6]

Further check the history on the wpt.fyi in [6], we can find out all
browsers started to fail since Oct.31.2023, which is also the date the
PR 41665 [1] is merged into master [7].

Now back to the test itself, since preloading json modules is not
allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can
just simply remove the connect-src: 'none' CSP directive.

[1]: https://github.com/web-platform-tests/wpt/pull/41665
[2]: https://github.com/web-platform-tests/wpt/commit/40db1c8a3564f78156416334898f2a6914dd6de9#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2
[3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request
[4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33
[5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10
[6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned
[7]: https://github.com/web-platform-tests/wpt/commit/40db1c8a3564f78156416334898f2a6914dd6de9
[8]: https://phabricator.services.mozilla.com/D234849
[9]: https://github.com/whatwg/html/pull/10212

Diff Detail

Event Timeline

allstarschh created this revision.Jan 23 2025, 2:31 PM
Herald added a project: secure-revision. · View Herald TranscriptJan 23 2025, 2:31 PM
Harbormaster completed remote builds in B746977: Diff 973580.Jan 23 2025, 2:31 PM
phab-bot published this revision for review.Jan 23 2025, 2:31 PM
phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".
phab-bot changed the edit policy from "Custom Policy" to "Restricted Project (Project)".
phab-bot removed a project: secure-revision.
allstarschh updated this revision to Diff 974056.Jan 24 2025, 10:34 AM
allstarschh added a parent revision: D234849: Bug 1940382 - Part 3: Don't preload json modules..
Harbormaster completed remote builds in B747301: Diff 974056.Jan 24 2025, 10:34 AM
farre accepted this revision.Feb 6 2025, 12:31 PM
farre added a project: testing-approved.

I completely agree with that explanation!

This revision is now accepted and ready to land.Feb 6 2025, 12:31 PM
allstarschh updated this revision to Diff 981878.Feb 10 2025, 8:02 AM
allstarschh edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B753073: Diff 981878.Feb 10 2025, 8:02 AM
Closed by commit rMOZILLACENTRAL55b5b1beb2a8: Bug 1940382 - Part 4: Remove connect-src:'none' restriction from the preload… (authored by allstarschh). · Explain WhyFeb 10 2025, 1:17 PM
This revision was automatically updated to reflect the committed changes.
allstarschh added a commit: rMOZILLACENTRAL55b5b1beb2a8: Bug 1940382 - Part 4: Remove connect-src:'none' restriction from the preload….

Revision Contents
Changeset List

PathSize
testing/
web-platform/
meta/
preload/
2 lines
tests/
preload/
2 lines

Diff 982033

View Options

testing/web-platform/meta/preload/preload-csp.sub.html.ini

Loading...
View Options

testing/web-platform/tests/preload/preload-csp.sub.html

Loading...
Privacy · Cookies · Legal