Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite Trusted types tests for CSP violations #50124

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Rewrite Trusted types tests for CSP violations #50124

wants to merge 10 commits into from

Conversation

fred-wang
Copy link
Contributor

Currently the listener to "securitypolicyviolation" is added before actually running the statement that triggers violations, so it could be possible that some violations are not caught. This bad pattern is duplicated in several trusted-types*reporting* tests.

This patch adds a new helper file to properly wrap the listener registration and statement execution in a promise, and reuses it in existing tests.

w3c/trusted-types#576

@fred-wang
Rewrite Trusted types tests for CSP violations
fea1317 
Currently the listener to "securitypolicyviolation" is added before
actually running the statement that triggers violations, so it could
be possible that some violations are not caught. This bad pattern is
duplicated in several `trusted-types*reporting*` tests.

This patch adds a new helper file to properly wrap the
listener registration and statement execution in a promise, and
reuses it in existing tests.

w3c/trusted-types#576
@wpt-pr-bot wpt-pr-bot requested a review from mikewest January 16, 2025 16:41
@fred-wang fred-wang marked this pull request as draft January 16, 2025 16:41
@fred-wang
Copy link
Contributor Author

cc @lukewarlow

This gives much better results for me in Firefox. Still need to convert the other reporting files and though.

@fred-wang fred-wang requested a review from lukewarlow January 16, 2025 17:43
@fred-wang fred-wang marked this pull request as ready for review January 16, 2025 17:43
@fred-wang
Copy link
Contributor Author

fred-wang commented Jan 16, 2025
edited
Loading

It seems there are more tests for violation but they use a slightly different approach, so probably will handle them in separate PRs.

(also, some of these tests will probably need review and updates too, but for now let's keep the current expectations)

@fred-wang fred-wang marked this pull request as draft January 17, 2025 06:20
@fred-wang fred-wang marked this pull request as ready for review January 17, 2025 07:34
@fred-wang
Copy link
Contributor Author

@lukewarlow I fixed more tests this morning. The remaining ones using securitypolicyviolation are:

find -type f | xargs grep securitypolicyviolation | grep addEventListener | grep -v csp-violations.js
./empty-default-policy.html:    document.addEventListener("securitypolicyviolation", e => {
./default-policy-report-only.html:    document.addEventListener("securitypolicyviolation", e => {
./support/navigation-support.js:    document.addEventListener("securitypolicyviolation", bounceEventToOpener);
./resources/block-text-node-insertion.js:      document.addEventListener("securitypolicyviolation", e => {
./empty-default-policy-report-only.html:    document.addEventListener("securitypolicyviolation", e => {
./default-policy.html:    document.addEventListener("securitypolicyviolation", e => {
  • empty-default-policy.html, default-policy-report-only.html, empty-default-policy-report-only.html, default-policy.html: looks ok, assuming the promise_test is executed immediately so that it calls addEventListener before anything that can trigger an a security violation.
  • support/navigation-support.js: look ok too, addEventListener is called before the final navigationElement.click() that triggers the navigation.
  • block-text-node-insertion.js: usages of checkSecurityPolicyViolationEvent in block-text-node-insertion-into-script-element.html and block-text-node-insertion-into-svg-script-element.html look wrong, the tests execute statements causing violation reports, but checkSecurityPolicyViolationEvent (and so addEventListener) is only done at the end of the tests, so that can lead to flaky failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikewest mikewest Awaiting requested review from mikewest

@lukewarlow lukewarlow Awaiting requested review from lukewarlow

At least 1 approving review is required to merge this pull request.

Assignees

@mikewest mikewest

Labels
trusted-types wg-s_webappsec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fred-wang @lukewarlow @mikewest @wpt-pr-bot