Bug 1632860 [wpt PR 23230] - Fix report-to CSP directive to only allow one endpoint, a=testonly

Automatic update from web-platform-tests Fix report-to CSP directive to only allow one endpoint According to https://w3c.github.io/webappsec-csp/#directive-report-to, the Content-Security-Policy directive "report-to" should only accept one token (endpint). However, our previous implementation allowed several endpoints to be specified. Bug: 916265 Change-Id: Ie11ee736f577d015921a5291824dcedcbc790177 Fixed: 916265 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2162826 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#762813} -- wpt-commits: fa3d5b0da213daee43f5de9621a26984ef70d149 wpt-pr: 23230
2024-10-22 09:45:41 +00:00 · 2020-04-28 11:45:56 +00:00 · 2020-04-28 11:45:56 +00:00 · 1c1cff4e05
commit 1c1cff4e05
parent 05ef386ffd
4 changed files with 34 additions and 2 deletions
--- a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html
@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that report-to ignores tokens after the first one</title>
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+  <script>
+    var t1 = async_test("Test that image does not load");
+    async_test(function(t2) {
+    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.violatedDirective, "img-src");
+        t2.done();
+      }));
+    }, "Event is fired");
+  </script>
+  <img src='/content-security-policy/support/fail.png'
+       onload='t1.unreached_func("The image should not have loaded");'
+       onerror='t1.done();'>
+  <!-- The second token of the report-to directive should be ignored, since the directive only supports one token. So we should not have any reports sent to this endpoint. -->
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html>
--- a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-only-sends-reports-to-first-endpoint.https.sub.html.sub.headers
@ -0,0 +1,7 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: reporting-api-report-to-only-sends-reports-to-first-endpoint={{$id:uuid()}}; Path=/content-security-policy/reporting-api
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group csp-group-2
+Report-To: { "group": "csp-group", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{uuid()}}" }] }, { "group": "csp-group-2", "max_age": 10886400, "endpoints": [{ "url": "https://{{host}}:{{ports[https][0]}}/content-security-policy/support/report.py?op=put&reportID={{$id}}" }] }
--- a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-1.https.sub.html
@ -20,6 +20,6 @@
       onload='t1.unreached_func("The image should not have loaded");'
       onerror='t1.done();'>
  <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
-  <script async defer src='../support/checkReport.sub.js?reportExists=false></script>
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>
--- a/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
+++ b/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-report-to-overrides-report-uri-2.https.sub.html
@ -20,6 +20,6 @@
       onload='t1.unreached_func("The image should not have loaded");'
       onerror='t1.done();'>
  <!-- report-to overrides the report-uri so the report goes to a different endpoint and we should not have any reports sent to this endpoint -->
-  <script async defer src='../support/checkReport.sub.js?reportExists=false></script>
+  <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
 </body>
 </html>