Bug 236049 - Many CSP tests timing out with "Blocked access to external URL" error
Summary: Many CSP tests timing out with "Blocked access to external URL" error
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kate Cheney
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-02-02 17:27 PST by Kate Cheney
Modified: 2022-02-10 12:39 PST (History)
12 users (show)

See Also:

Attachments
Patch (269.52 KB, patch)
2022-02-02 17:29 PST, Kate Cheney 		no flags Details | Formatted Diff | Diff
WIP 2 (269.79 KB, patch)
2022-02-08 15:42 PST, Kate Cheney 		no flags Details | Formatted Diff | Diff
WIP 3 (278.62 KB, patch)
2022-02-09 13:15 PST, Kate Cheney 		no flags Details | Formatted Diff | Diff
Patch (278.62 KB, patch)
2022-02-10 10:07 PST, Kate Cheney 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kate Cheney 2022-02-02 17:27:53 PST 
Many CSP tests timing out with "Blocked access to external URL" error
Comment 1 Kate Cheney 2022-02-02 17:29:40 PST 
Created attachment 450721 [details]
Patch
Comment 2 EWS Watchlist 2022-02-02 17:31:10 PST 
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 3 Kate Cheney 2022-02-08 15:42:39 PST 
Created attachment 451315 [details]
WIP 2
Comment 4 youenn fablet 2022-02-09 00:48:38 PST 
Comment on attachment 451315 [details]
WIP 2

View in context: https://bugs.webkit.org/attachment.cgi?id=451315&action=review

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/resources/common.sub.js:977
> +  const crossOriginHost = "127.0.0.1";

const crossOriginHost = {{hosts[alt][]}}

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:31
> +        return "127.0.0.1"

Can we check whether subdomain is important here or whether we could use alternate here as well?
Comment 5 Kate Cheney 2022-02-09 12:18:01 PST 
Comment on attachment 451315 [details]
WIP 2

View in context: https://bugs.webkit.org/attachment.cgi?id=451315&action=review

>> LayoutTests/imported/w3c/web-platform-tests/common/security-features/resources/common.sub.js:977
>> +  const crossOriginHost = "127.0.0.1";
> 
> const crossOriginHost = {{hosts[alt][]}}

Will change.

>> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:31
>> +        return "127.0.0.1"
> 
> Can we check whether subdomain is important here or whether we could use alternate here as well?

CSP tests use this to perform a swap-origin redirect, which is referenced in the wpt repo (https://github.com/web-platform-tests/wpt/pull/1856) as being when the final origin of the load after redirection is cross origin. That leads me to believe this function is only trying to get a cross origin domain and the existence of a subdomain doesn't actually matter.

This aligns with the if-else which checks the netloc and returns a cross-origin host regardless of whether it exists (e.g. a netloc of ww1.localhost returns localhost, and a netloc of localhost returns ww1.localhost).

A solution that aligns more with our http tests would be to return "127.0.0.1" if netloc is "localhost" and vice versa.
Comment 6 Kate Cheney 2022-02-09 13:15:10 PST 
Created attachment 451433 [details]
WIP 3
Comment 7 Kate Cheney 2022-02-09 13:15:52 PST 
Comment on attachment 451433 [details]
WIP 3

View in context: https://bugs.webkit.org/attachment.cgi?id=451433&action=review

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:28
> +    if netloc == "localhost":

@Youenn is there a way to get localhost without hardcoding?
Comment 8 Radar WebKit Bug Importer 2022-02-09 17:28:19 PST 
<rdar://problem/88724733>
Comment 9 Kate Cheney 2022-02-10 10:07:52 PST 
Created attachment 451560 [details]
Patch