Bug 223079

Summary: [ macOS Wk2 ] http/tests/security/contentSecurityPolicy/report-only-connect-src-xmlhttprequest-redirect-to-blocked.php is constantly text failing
Product: WebKit Reporter: Robert Jenner <jenner>
Component: New BugsAssignee: Chris Gambrell <cgambrell>
Status: RESOLVED FIXED    
Severity: Normal CC: cgambrell, ews-watchlist, jbedard, mkwst, tsavell, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=222668
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Robert Jenner
Reported 2021-03-11 10:57:32 PST
http/tests/security/contentSecurityPolicy/report-only-connect-src-xmlhttprequest-redirect-to-blocked.php is a constant text failure in macOS release and debug wk2. HISTORY URL: https://results.webkit.org/?suite=layout-tests&test=http%2Ftests%2Fsecurity%2FcontentSecurityPolicy%2Freport-only-connect-src-xmlhttprequest-redirect-to-blocked.php TEXT DIFF: --- /Volumes/Data/worker/bigsur-release-tests-wk2/build/layout-test-results/http/tests/security/contentSecurityPolicy/report-only-connect-src-xmlhttprequest-redirect-to-blocked-expected.txt +++ /Volumes/Data/worker/bigsur-release-tests-wk2/build/layout-test-results/http/tests/security/contentSecurityPolicy/report-only-connect-src-xmlhttprequest-redirect-to-blocked-actual.txt @@ -1,4 +1,5 @@ CONSOLE MESSAGE: The Content Security Policy 'connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. +CONSOLE MESSAGE: [Report Only] Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php because it does not appear in the connect-src directive of the Content Security Policy. CONSOLE MESSAGE: [Report Only] Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy. PASS XMLHttpRequest.send() did follow the redirect. PASS successfullyParsed is true
Attachments
Patch (3.72 KB, patch)
2021-03-11 11:37 PST, Chris Gambrell 		no flags
DetailsFormatted DiffDiff
Patch (22.37 KB, patch)
2021-03-17 14:36 PDT, Chris Gambrell 		no flags
DetailsFormatted DiffDiff
Patch (29.12 KB, patch)
2021-03-17 19:34 PDT, Chris Gambrell 		no flags
DetailsFormatted DiffDiff
Patch (26.74 KB, patch)
2021-03-18 09:08 PDT, Chris Gambrell 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-03-11 10:57:55 PST
<rdar://problem/75323779>
Chris Gambrell
Comment 2 2021-03-11 11:37:59 PST
Created attachment 422953 [details] Patch
Chris Gambrell
Comment 3 2021-03-11 11:40:14 PST
Comment on attachment 422953 [details] Patch This was part of a batch of the http/tests/security php files that had issues with the Python conversion and should not have been included in part 1 of 2 for the security directory. Reverted test back to reference the PHP version. This will be converted in part 2.
Jonathan Bedard
Comment 4 2021-03-13 13:45:00 PST
Comment on attachment 422953 [details] Patch No reason to keep the bots red this weekend, cq+ing as well
EWS
Comment 5 2021-03-13 13:55:56 PST
Committed r274392: <https://commits.webkit.org/r274392> All reviewed patches have been landed. Closing bug and clearing flags on attachment 422953 [details].
Truitt Savell
Comment 6 2021-03-15 15:37:54 PDT
It looks like the changes in https://trac.webkit.org/changeset/274392/webkit broke http/tests/security/contentSecurityPolicy/report-only-from-header.py History: https://results.webkit.org/?suite=layout-tests&test=http%2Ftests%2Fsecurity%2FcontentSecurityPolicy%2Freport-only-from-header.py this is a fairly clear regression in history
Jonathan Bedard
Comment 7 2021-03-15 16:12:56 PDT
This seems to point to the problem: 'Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/echo-report.php because it does not appear in the connect-src directive of the Content Security Policy'
Chris Gambrell
Comment 8 2021-03-17 14:36:32 PDT
Reopening to attach new patch.
Chris Gambrell
Comment 9 2021-03-17 14:36:34 PDT
Created attachment 423530 [details] Patch
Chris Gambrell
Comment 10 2021-03-17 14:46:04 PDT
Comment on attachment 423530 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=423530&action=review > LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt:1 > +CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy. Starting process of conversion of pearl files in this patch. > LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt:1 > +CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy. Starting process of conversion of pearl files in this patch. > LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html:24 > + xhr.open("GET", "resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py", true); Starting process of conversion of pearl files in this patch. > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt:2 > +Blocked access to external URL https://webkit.org/report Python automatically switched to https above http so changed the url & expectations > LayoutTests/http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.py:6 > + 'Content-Security-Policy: font-src https://webkit.org; report-uri https://webkit.org/report;\r\n' Python automatically switched to https above http so changed the url & expectations > LayoutTests/http/tests/security/contentSecurityPolicy/resources/go-to-echo-report.py:10 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.py:8 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.py:8 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.py:8 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.py:7 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.py:8 > + 'Content-Type: text/html\r\n\r\n' When running cURL requests, PHP was returning text/html Content-Type, not application/javascript > LayoutTests/http/tests/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py:1 > +#!/usr/bin/env python3 Starting process of conversion of pearl files in this patch.
Jonathan Bedard
Comment 11 2021-03-17 14:55:30 PDT
Comment on attachment 423530 [details] Patch Looks good, let's wait until EWS is happy
Chris Gambrell
Comment 12 2021-03-17 19:34:54 PDT
Created attachment 423548 [details] Patch
Chris Gambrell
Comment 13 2021-03-18 09:08:25 PDT
Created attachment 423604 [details] Patch
Chris Gambrell
Comment 14 2021-03-18 09:13:07 PDT
Comment on attachment 423604 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=423604&action=review > LayoutTests/ChangeLog:1 > +2021-03-18 Chris Gambrell <cgambrell@apple.com> http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher-expected.txt got updated to match the original PHP version. Changed the version of http/tests/security/contentSecurityPolicy/user-style-sheet-font-crasher.py to match the PHP version.
EWS
Comment 15 2021-03-18 13:42:15 PDT
Committed r274671: <https://commits.webkit.org/r274671> All reviewed patches have been landed. Closing bug and clearing flags on attachment 423604 [details].
Note You need to log in before you can comment on or make changes to this bug.