Bug 244637

Summary:	CSP 3: Update Content Security Policy when header sent as part of a 304 response
Product:	WebKit	Reporter:	Hercules Hjalmarsson <hhjalmarsson>
Component:	Page Loading	Assignee:	Ryan Reno <rreno>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	achristensen, beidson, bfulgham, rreno, webkit-bot-watchers-bugzilla, webkit-bug-importer, wilander, youennf
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Hercules Hjalmarsson

Reported 2022-08-31 15:11:32 PDT

imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html Is a constant text failure on macOS wk1 ToT and since 253966@main when it was un-skipped. It appears that this test is failing expectedly on wk2 but passing on wk1. I'm unsure which is correct after un-skip. HISTORY: https://results.webkit.org/?suite=layout-tests&test=imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html DIFF: @@ -2,6 +2,6 @@ PASS Test that the first frame uses nonce abc PASS Test that the first frame does not use nonce def -FAIL Test that the second frame uses nonce def assert_unreached: Unexpected message received Reached unreachable code -FAIL Test that the second frame does not use nonce abc assert_unreached: Unexpected message received Reached unreachable code +PASS Test that the second frame uses nonce def +PASS Test that the second frame does not use nonce abc

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-08-31 15:11:53 PDT

<rdar://problem/99405897>

Hercules Hjalmarsson

Comment 2 2022-08-31 15:13:01 PDT

My previous comment is mentioning failing expectedly from the DIFF output and not in the history.

Hercules Hjalmarsson

Comment 3 2022-08-31 15:14:05 PDT

This issue can be bisected to 253966@main using command: run-webkit-tests --iterations=2 -1 imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html

EWS

Comment 4 2022-08-31 15:27:30 PDT

Test gardening commit 254011@main (f787f2f60509): <https://commits.webkit.org/254011@main> Reviewed commits have been landed. Closing PR #3881 and removing active labels.

Ryan Reno

Comment 5 2023-01-13 08:39:33 PST

We aren't updating the CSP when we get a new header as part of a 304 response which is why this test is failing. See discussion https://github.com/w3c/webappsec-csp/issues/161

Ryan Reno

Comment 6 2023-01-13 08:56:57 PST

We also fail https://wpt.fyi/results/cors/304.htm?label=experimental&label=master&aligned So we likely fail any WPT that tests our behavior w.r.t. updating the cache entry upon a 304 response.

Ryan Reno

Comment 7 2023-01-13 10:57:48 PST

Pull request: https://github.com/WebKit/WebKit/pull/8629

EWS

Comment 8 2023-01-15 10:08:41 PST

Committed 258931@main (9bcb547791aa): <https://commits.webkit.org/258931@main> Reviewed commits have been landed. Closing PR #8629 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.