Bug 1662411 [wpt PR 25321] - Fix wildcard host matching in CSPEE subsume algorithm, a=testonly
authorAntonio Sartori <antoniosartori@chromium.org>
Thu, 10 Sep 2020 15:53:11 +0000
changeset 548307 3b5ac5b97a79d8ceeafcb9de4b74c43c1b668fc6
parent 548306 b7d28f2119a1cb8b7ac9c982d6745e73b4e53216
child 548308 a6e4b389013941a0c67a2ed4b32796bfa59bcb23
push id37776
push userbtara@mozilla.com
push dateFri, 11 Sep 2020 15:10:42 +0000
treeherdermozilla-central@b133e2d673e8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1662411, 25321, 1086857, 2210463, 805286
milestone82.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1662411 [wpt PR 25321] - Fix wildcard host matching in CSPEE subsume algorithm, a=testonly Automatic update from web-platform-tests Fix wildcard host matching in CSPEE subsume algorithm The previous implementation returned `true` for `*.example.com` subsumes `example.com`. However, since `*.example.com` does not match `example.com`, this should not be the case. And indeed according to 2.3.3 in https://w3c.github.io/webappsec-cspee/#subsume-source-expressions in this case the subsume algorithm should return `false`. Bug: 1086857 Change-Id: I449f72d2db0a918478fc1ba4250335ae57a4ae2d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210463 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/master@{#805286} -- wpt-commits: 4d8bfc649f692738a27b35468b7984b6061ab485 wpt-pr: 25321
testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
--- a/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
+++ b/testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-general.html
@@ -36,16 +36,25 @@
       { "name": "Iframe with a different CSP should be blocked.", 
         "required_csp": "script-src 'nonce-abc' 'nonce-123'", 
         "returned_csp": "style-src 'none'", 
         "expected": IframeLoad.EXPECT_BLOCK },
       { "name": "Iframe with a matching and more restrictive ports should load.", 
         "required_csp": "frame-src http://c.com:443 http://b.com", 
         "returned_csp": "frame-src http://b.com:80 http://c.com:443", 
         "expected": IframeLoad.EXPECT_LOAD },
+      { "name": "Host wildcard *.a.com does not match a.com",
+        "required_csp": "frame-src http://*.a.com",
+        "returned_csp": "frame-src http://a.com",
+        "expected": IframeLoad.EXPECT_BLOCK },
+      { "name": "Host intersection with wildcards is computed correctly.",
+        "required_csp": "frame-sr 'none'",
+        "returned_csp": "frame-src http://a.com",
+        "returned_csp_2": "frame-src http://*.a.com",
+        "expected": IframeLoad.EXPECT_LOAD },
       { "name": "Iframe should load even if the ports are different but are default for the protocols.", 
         "required_csp": "frame-src http://b.com:80", 
         "returned_csp": "child-src https://b.com:443", 
         "expected": IframeLoad.EXPECT_LOAD },
       { "name": "Iframe should block if intersection allows sources which are not in required_csp.",
         "required_csp": "style-src http://*.example.com:*",
         "returned_csp": "style-src http://*.com:*",
         "returned_csp_2": "style-src http://*.com http://*.example.com:*",