RESOLVED FIXED 244637
CSP 3: Update Content Security Policy when header sent as part of a 304 response 
https://bugs.webkit.org/show_bug.cgi?id=244637
Summary CSP 3: Update Content Security Policy when header sent as part of a 304 response
Hercules Hjalmarsson
Reported 2022-08-31 15:11:32 PDT
imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html Is a constant text failure on macOS wk1 ToT and since 253966@main when it was un-skipped. It appears that this test is failing expectedly on wk2 but passing on wk1. I'm unsure which is correct after un-skip. HISTORY: https://results.webkit.org/?suite=layout-tests&test=imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html DIFF: @@ -2,6 +2,6 @@ PASS Test that the first frame uses nonce abc PASS Test that the first frame does not use nonce def -FAIL Test that the second frame uses nonce def assert_unreached: Unexpected message received Reached unreachable code -FAIL Test that the second frame does not use nonce abc assert_unreached: Unexpected message received Reached unreachable code +PASS Test that the second frame uses nonce def +PASS Test that the second frame does not use nonce abc
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-08-31 15:11:53 PDT
<rdar://problem/99405897>
Hercules Hjalmarsson
Comment 2 2022-08-31 15:13:01 PDT
My previous comment is mentioning failing expectedly from the DIFF output and not in the history.
Hercules Hjalmarsson
Comment 3 2022-08-31 15:14:05 PDT
This issue can be bisected to 253966@main using command: run-webkit-tests --iterations=2 -1 imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html
EWS
Comment 4 2022-08-31 15:27:30 PDT
Test gardening commit 254011@main (f787f2f60509): <https://commits.webkit.org/254011@main> Reviewed commits have been landed. Closing PR #3881 and removing active labels.
Ryan Reno
Comment 5 2023-01-13 08:39:33 PST
We aren't updating the CSP when we get a new header as part of a 304 response which is why this test is failing. See discussion https://github.com/w3c/webappsec-csp/issues/161
Ryan Reno
Comment 6 2023-01-13 08:56:57 PST
We also fail https://wpt.fyi/results/cors/304.htm?label=experimental&label=master&aligned So we likely fail any WPT that tests our behavior w.r.t. updating the cache entry upon a 304 response.
Ryan Reno
Comment 7 2023-01-13 10:57:48 PST
Pull request: https://github.com/WebKit/WebKit/pull/8629
EWS
Comment 8 2023-01-15 10:08:41 PST
Committed 258931@main (9bcb547791aa): <https://commits.webkit.org/258931@main> Reviewed commits have been landed. Closing PR #8629 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.