[Gecko Bug 1940382] Part 4: Remove connect-src:'none' restriction from the preload-csp.sub.html.#50605
Merged
moz-wptsync-bot merged 1 commit intomasterfrom Feb 11, 2025
Merged
Conversation
…b.html. In the WPT PR 41665 [1], preload-csp.sub.html was added connect-src:'none' in the CSP [2], the reason is that the json modules will use 'connect-src' as the CSP directive, see the destination "json" in [3]. However, this test calls "hasArrivedAtServer" to verify the result [4], which uses 'fetch()' API. [5] And according the CSP spec, the directive for fetch() is "connect-src" (See the empty string in [3]) Hence the change introduced in [2] causes the call to fetch() will violate the CSP restriction, and causes the test failed on all browser vendors. [6] Further check the history on the wpt.fyi in [6], we can find out all browsers started to fail since Oct.31.2023, which is also the date the PR 41665 [1] is merged into master [7]. Now back to the test itself, since preloading json modules is not allowed in previous patch D234849 [8] and whatwg PR 10212 [9], we can just simply remove the connect-src: 'none' CSP directive. [1]: #41665 [2]: 40db1c8#diff-18344ffd5be3dce2faabd52b30c10d3c7beeef3a024eac638c8e0e71b07bb7c6R2 [3]: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request [4]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/preload-csp.sub.html#L33 [5]: https://github.com/web-platform-tests/wpt/blob/803b53367671fef86957c611a38e1d145044a97c/preload/resources/preload_helper.js#L10 [6]: https://wpt.fyi/results/preload/preload-csp.sub.html?label=experimental&label=master&aligned [7]: 40db1c8 [8]: https://phabricator.services.mozilla.com/D234849 [9]: whatwg/html#10212 Differential Revision: https://phabricator.services.mozilla.com/D235314 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940382 gecko-commit: 55b5b1beb2a8901e30af5d9f6f2fb4b6122be5b8 gecko-reviewers: dom-core, farre
wpt-pr-bot
approved these changes
Feb 10, 2025
Collaborator
wpt-pr-bot
left a comment
wpt-pr-bot
left a comment
There was a problem hiding this comment.
The review process for this patch is being conducted in the Firefox project.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the WPT PR 41665 1,
preload-csp.sub.html was added connect-src:'none' in the CSP 2,
the reason is that the json modules will use 'connect-src' as the CSP
directive, see the destination "json" in 3.
However, this test calls "hasArrivedAtServer" to verify the result 4,
which uses 'fetch()' API. 5
And according the CSP spec, the directive for fetch() is "connect-src" (See
the empty string in 3)
Hence the change introduced in 2 causes the call to fetch() will
violate the CSP restriction, and causes the test failed on all browser
vendors. 6
Further check the history on the wpt.fyi in 6, we can find out all
browsers started to fail since Oct.31.2023, which is also the date the
PR 41665 1 is merged into master 7.
Now back to the test itself, since preloading json modules is not
allowed in previous patch D234849 8 and whatwg PR 10212 9, we can
just simply remove the connect-src: 'none' CSP directive.
Differential Revision: https://phabricator.services.mozilla.com/D235314
bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940382
gecko-commit: 55b5b1beb2a8901e30af5d9f6f2fb4b6122be5b8
gecko-reviewers: dom-core, farre