Open zcorpan opened 3 years ago
Firefox doesn't implement CSP embedded enforcement and I believe the spec is a "monkey-patch" that is injected into the HTML spec from: https://www.w3.org/TR/csp-embedded-enforcement/#html-integration (step 3)
@antosart @mikewest FYI.
Replying to https://github.com/web-platform-tests/wpt/pull/28281#issuecomment-814995871:
Following the current spec: checking COEP in between CSP and X-Frame-Option seems complex, because we currently check both CSP:frame-ancestors and X-Frame-Option together in Chrome. They are about the exact same thing. Moving the COEP check one step earlier in the spec would be much simpler.
Part of the issue is that the CSP specs want to handle all CSP things together. So grouping CSP: frame-ancestors and XFO is a bit unnatural.
We could probably make it work by just putting CSP-in-general and XFO together, and relying on the fact that (IIUC) the individual CSP checks do not have a defined order. So if we change the spec to COEP -> CSP -> XFO or CSP -> XFO -> COEP then implementations can always put the frame-ancestors CSP check after/before other CSP checks and thus put it together with XFO.
However, I don't know what other web implementations would prefer.
I suspect they'd be OK with changes here since COEP is relatively new (and only implemented in Gecko and Chromium). Maybe @annevk can help confirm.
I wrote: https://github.com/ArthurSonzogni/html/commit/3f94b829cc9aca2ee806e4d9f0b6d98d7a120d07
If @annevk is interested, I will propose this PR, and update zcorpan@ WPT test expectation.
No strong opinion, but I believe Firefox does implement CSP reporting so you can probably find out our current order. I do agree it's good to define and test order. 😊
I wrote a test to test ordering of COEP reporting vs CSP and X-Frame-Options, and was a bit puzzled by the observed outcome in chromium. @ArthurSonzogni commented:
Originally posted by @ArthurSonzogni in https://github.com/web-platform-tests/wpt/pull/28281#issuecomment-814948946
What do Gecko and WebKit do?
I don't see "CSP embedded enforcement" as a term in the CSP or HTML specs.
For upgrade insecure requests, I see https://fetch.spec.whatwg.org/#concept-main-fetch step 5, but don't know if it matches Chromium.