Skip to content

script: Fix current URL for CSP requests#43438

Merged
TimvdLippe merged 1 commit intoservo:mainfrom
TimvdLippe:fix-csp-redirects
Mar 22, 2026
Merged

script: Fix current URL for CSP requests#43438
TimvdLippe merged 1 commit intoservo:mainfrom
TimvdLippe:fix-csp-redirects

Conversation

@TimvdLippe
Copy link
Copy Markdown
Contributor

@TimvdLippe TimvdLippe commented Mar 18, 2026

The CSP crate was incorrectly using the request URL for both checking if policies were matching, as well as reporting that URL. However, the CSP specification uses the current URL to check for policies and the url for reporting a violation.

Therefore, set the new current_url field for these requests, leaving the ws scheme URLs as a special case. We also should take redirects into account for navigations (which is only relevant for forms), but LoadData currently has no notion of keeping track of that.

@TimvdLippe TimvdLippe added the T-linux-wpt Do a try run of the WPT label Mar 18, 2026
@github-actions github-actions Bot removed the T-linux-wpt Do a try run of the WPT label Mar 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 18, 2026

🔨 Triggering try run (#23268788577) for Linux (WPT)

@TimvdLippe TimvdLippe mentioned this pull request Mar 18, 2026
Merged
TimvdLippe added a commit to TimvdLippe/rust-content-security-policy that referenced this pull request Mar 18, 2026
@TimvdLippe
Add current_url to request
d469f3b 
The specification uses two different URLs: the url and the current URL.
The distinction is relevant when redirecting [1]. When we report a
violation, we should use the original URL that started the request.
However, all checks on URLs then need to use the current URLs. This
ensures that after a redirect, the new URL is then checked against
the CSP policy.

This is extensively tested by WPT, see the results in the corresponding
Servo PR [2].

[1]: https://w3c.github.io/webappsec-csp/#create-violation-for-request
[2]: servo/servo#43438
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 18, 2026

Test results for linux-wpt from try job (#23268788577):

Flaky unexpected result (28)
  • PASS [expected FAIL] /_mozilla/css/linear_gradients_reverse_a.html
  • OK /_mozilla/css/offset_properties_inline.html (#40543)
    • FAIL [expected PASS] subtest: offsetTop

      assert_equals: offsetTop of #inline-1 should be 0. expected 0 but got -1

    • FAIL [expected PASS] subtest: offsetLeft

      assert_equals: offsetLeft of #inline-2 should be 40. expected 40 but got 25

  • ERROR [expected OK] /_mozilla/mozilla/img_find_non_sibling_map.html
  • OK /_webgl/conformance/textures/misc/texture-upload-size.html (#21770)
    • PASS [expected FAIL] subtest: WebGL test #45
    • PASS [expected FAIL] subtest: WebGL test #47
    • PASS [expected FAIL] subtest: WebGL test #49
    • PASS [expected FAIL] subtest: WebGL test #51
    • FAIL [expected PASS] subtest: WebGL test #53

      assert_true: Texture was smaller than the expected size 2x2 expected true got false

    • FAIL [expected PASS] subtest: WebGL test #55

      assert_true: getError expected: INVALID_VALUE. Was NO_ERROR : when calling texSubImage2D with the same texture upload with offset 1, 1 expected true got false

    • FAIL [expected PASS] subtest: WebGL test #57

      assert_true: Texture was smaller than the expected size 2x2 expected true got false

    • FAIL [expected PASS] subtest: WebGL test #59

      assert_true: getError expected: INVALID_VALUE. Was NO_ERROR : when calling texSubImage2D with the same texture upload with offset 1, 1 expected true got false

    • PASS [expected FAIL] subtest: WebGL test #61
    • PASS [expected FAIL] subtest: WebGL test #63
    • And 14 more unexpected results...
  • OK /css/css-animations/event-order.tentative.html (#39000)
    • PASS [expected FAIL] subtest: Same events on pseudo-elements follow the prescribed order
  • FAIL [expected PASS] /css/css-backgrounds/background-size-042.html
  • OK [expected ERROR] /fetch/fetch-later/quota/same-origin-iframe/multiple-iframes.https.window.html (#35176)
  • ERROR [expected OK] /fetch/metadata/window-open.https.sub.html (#40339)
  • ERROR [expected OK] /focus/focus-event-after-switching-iframes.sub.html (#40368)
  • CRASH [expected OK] /html/browsers/browsing-the-web/navigating-across-documents/005.html (#27062)
  • OK /html/browsers/browsing-the-web/navigating-across-documents/navigation-unload-cross-origin.sub.window.html (#29056)
    • PASS [expected FAIL] subtest: Cross-origin navigation started from unload handler must be ignored
  • OK /html/browsers/browsing-the-web/navigating-across-documents/navigation-unload-same-origin-fragment.html (#20768)
    • PASS [expected FAIL] subtest: Tests that a fragment navigation in the unload handler will not block the initial navigation
  • CRASH [expected OK] /html/browsers/browsing-the-web/remote-context-helper-tests/navigateToNew.window.html
  • OK /html/browsers/history/the-history-interface/traverse_the_history_2.html (#21383)
    • FAIL [expected PASS] subtest: Multiple history traversals, last would be aborted

      assert_array_equals: Pages opened during history navigation expected property 1 to be 3 but got 1 (expected array [6, 3] got [6, 1])

  • CRASH [expected OK] /html/browsers/history/the-location-interface/assign-with-nested-iframe.html
  • TIMEOUT [expected OK] /html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_other_frame_popup.sub.html (#39702)
    • TIMEOUT [expected FAIL] subtest: Sandboxed iframe can not navigate other frame's popup

      Test timed out

  • CRASH [expected OK] /imagebitmap-renderingcontext/transferFromImageBitmap-null.html
  • PASS [expected FAIL] /png/apng/fcTL-dispose-in-region-none.html
  • TIMEOUT [expected OK] /preload/modulepreload-sri.html (#43354)
    • TIMEOUT [expected PASS] subtest: Script should not be loaded if modulepreload's integrity is invalid

      Test timed out

  • OK /resource-timing/buffer-full-add-then-clear.html (#40819)
    • FAIL [expected PASS] subtest: Test that if the buffer is cleared after entries were added to the secondary buffer, those entries make it into the primary one

      assert_equals: Number of entries does not match the expected value. expected 3 but got 0

  • CRASH [expected OK] /resource-timing/render-blocking-status-link.html (#41664)
  • OK /resource-timing/test_resource_timing.html (#25720)
    • PASS [expected FAIL] subtest: PerformanceEntry has correct name, initiatorType, startTime, and duration (iframe)
  • TIMEOUT [expected OK] /trusted-types/trusted-types-navigation.html?01-05 (#38975)
    • TIMEOUT [expected PASS] subtest: Navigate a window via anchor with javascript:-urls in report-only mode.

      Test timed out

    • NOTRUN [expected PASS] subtest: Navigate a window via anchor with javascript:-urls w/ default policy in report-only mode.
    • NOTRUN [expected PASS] subtest: Navigate a frame via anchor with javascript:-urls in enforcing mode.
  • OK [expected TIMEOUT] /trusted-types/trusted-types-navigation.html?06-10 (#37920)
    • PASS [expected TIMEOUT] subtest: Navigate a frame via anchor with javascript:-urls w/ default policy in report-only mode.
    • FAIL [expected NOTRUN] subtest: Navigate a window via anchor with javascript:-urls w/ a default policy throwing an exception in enforcing mode.

      promise_test: Unhandled rejection with value: "Unexpected message received: \"No securitypolicyviolation reported!\""

    • FAIL [expected NOTRUN] subtest: Navigate a window via anchor with javascript:-urls w/ a default policy throwing an exception in report-only mode.

      promise_test: Unhandled rejection with value: "Unexpected message received: \"No securitypolicyviolation reported!\""

  • TIMEOUT /trusted-types/trusted-types-navigation.html?31-35 (#38034)
    • TIMEOUT [expected PASS] subtest: Navigate a frame via form-submission with javascript:-urls in report-only mode.

      Test timed out

    • NOTRUN [expected TIMEOUT] subtest: Navigate a frame via form-submission with javascript:-urls w/ default policy in report-only mode.
  • OK /visual-viewport/resize-event-order.html (#41981)
    • PASS [expected FAIL] subtest: Popup: DOMWindow resize fired before VisualViewport.
  • OK [expected ERROR] /webxr/render_state_update.https.html (#27535)
  • TIMEOUT [expected OK] /workers/Worker-timeout-cancel-order.html
Stable unexpected results that are known to be intermittent (16)
  • TIMEOUT /FileAPI/url/url-in-tags-revoke.window.html (#19978)
    • TIMEOUT [expected PASS] subtest: Fetching a blob URL immediately before revoking it works in <script> tags.

      Test timed out

  • FAIL [expected PASS] /_mozilla/mozilla/sslfail.html (#10760)
  • TIMEOUT [expected OK] /_mozilla/mozilla/window_resize_event.html (#36741)
    • TIMEOUT [expected PASS] subtest: Popup onresize event fires after resizeTo

      Test timed out

  • OK [expected TIMEOUT] /content-security-policy/inheritance/document-write-iframe.html (#41195)
    • PASS [expected TIMEOUT] subtest: document.open() keeps inherited CSPs on transient about:blank.
  • OK /css/css-fonts/generic-family-keywords-003.html (#38994)
    • FAIL [expected PASS] subtest: @font-face matching for quoted and unquoted sans-serif (drawing text in a canvas)

      assert_equals: quoted sans-serif matches  @font-face rule expected 125 but got 40

    • FAIL [expected PASS] subtest: @font-face matching for quoted and unquoted cursive (drawing text in a canvas)

      assert_equals: quoted cursive matches  @font-face rule expected 125 but got 40

    • PASS [expected FAIL] subtest: @font-face matching for quoted and unquoted math (drawing text in a canvas)
  • TIMEOUT [expected OK] /fetch/api/redirect/redirect-keepalive.https.any.html (#32153)
    • TIMEOUT [expected PASS] subtest: [keepalive][iframe][load] mixed content redirect; setting up

      Test timed out

  • ERROR [expected OK] /fetch/fetch-later/quota/same-origin-iframe/accumulated-oversized-payload.https.window.html (#41705)
  • OK /fetch/metadata/generated/css-font-face.https.sub.tentative.html (#32732)
    • PASS [expected FAIL] subtest: sec-fetch-storage-access - Cross-site
  • OK /html/browsers/history/the-history-interface/traverse_the_history_4.html (#21383)
    • FAIL [expected PASS] subtest: Multiple history traversals, last would be aborted

      assert_array_equals: Pages opened during history navigation expected property 1 to be 5 but got 3 (expected array [6, 5] got [6, 3])

  • OK [expected TIMEOUT] /html/interaction/focus/the-autofocus-attribute/document-with-fragment-top.html (#28259)
    • FAIL [expected TIMEOUT] subtest: Autofocus elements in top-level browsing context's documents with "top" fragments should work.

      assert_not_equals: got disallowed value Element node <body></body>

  • TIMEOUT /html/interaction/focus/the-autofocus-attribute/supported-elements.html (#24145)
    • PASS [expected TIMEOUT] subtest: Non-HTMLElement should not support autofocus
    • FAIL [expected NOTRUN] subtest: Host element with delegatesFocus should support autofocus

      assert_equals: expected Element node <div autofocus=""></div> but got Element node <body><div autofocus=""></div></body>

    • TIMEOUT [expected NOTRUN] subtest: Host element with delegatesFocus including no focusable descendants should be skipped

      Test timed out

  • OK /html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1.html (#39694)
    • PASS [expected FAIL] subtest: Meta refresh is blocked by the allow-scripts sandbox flag at its creation time, not when refresh comes due
  • OK /navigation-timing/test-navigation-type-reload.html (#33334)
    • FAIL [expected PASS] subtest: Reload domComplete > Original domComplete

      assert_true: Reload domComplete > Original domComplete expected true got false

    • FAIL [expected PASS] subtest: Reload domContentLoadedEventEnd > Original domContentLoadedEventEnd

      assert_true: Reload domContentLoadedEventEnd > Original domContentLoadedEventEnd expected true got false

    • FAIL [expected PASS] subtest: Reload domContentLoadedEventStart > Original domContentLoadedEventStart

      assert_true: Reload domContentLoadedEventStart > Original domContentLoadedEventStart expected true got false

    • FAIL [expected PASS] subtest: Reload domInteractive > Original domInteractive

      assert_true: Reload domInteractive > Original domInteractive expected true got false

    • FAIL [expected PASS] subtest: Reload fetchStart > Original fetchStart

      assert_true: Reload fetchStart > Original fetchStart expected true got false

    • FAIL [expected PASS] subtest: Reload loadEventEnd > Original loadEventEnd

      assert_true: Reload loadEventEnd > Original loadEventEnd expected true got false

    • FAIL [expected PASS] subtest: Reload loadEventStart > Original loadEventStart

      assert_true: Reload loadEventStart > Original loadEventStart expected true got false

  • TIMEOUT [expected OK] /preload/modulepreload-sri-importmap.html (#43354)
    • TIMEOUT [expected PASS] subtest: Script should not be loaded if modulepreload's integrity is invalid

      Test timed out

  • OK /resource-timing/test_resource_timing.https.html (#25216)
    • FAIL [expected PASS] subtest: PerformanceEntry has correct name, initiatorType, startTime, and duration (xmlhttprequest)

      assert_equals: expected 47.42 but got 47.41

  • OK /webaudio/the-audio-api/the-audiobuffersourcenode-interface/sub-sample-buffer-stitching.html (#22849)
    • FAIL [expected PASS] subtest: buffer-stitching-1

      assert_approx_equals: Stitched sine‑wave buffers at sample rate 44100 sample[16680] |-3183556427776 - 0.47198569774627686| = 3183556427776.472 > 0.000090957 expected 0.47198569774627686 +/- 0.000090957 but got -3183556427776

Stable unexpected results (5)
  • OK /content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.
  • OK /content-security-policy/gen/top.meta/script-src-self/script-tag.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.meta/script-src-self/script-tag.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.
  • OK /fetch/fetch-later/policies/csp-redirect-to-blocked.https.window.html
    • PASS [expected FAIL] subtest: FetchLater redirect blocked by CSP should reject

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 18, 2026

⚠️ Try run (#23268788577) failed!

@TimvdLippe TimvdLippe mentioned this pull request Mar 19, 2026
Merged
@TimvdLippe TimvdLippe added the T-linux-wpt Do a try run of the WPT label Mar 20, 2026
@github-actions github-actions Bot removed the T-linux-wpt Do a try run of the WPT label Mar 20, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 20, 2026

🔨 Triggering try run (#23341034837) for Linux (WPT)

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 20, 2026

Test results for linux-wpt from try job (#23341034837):

Flaky unexpected result (35)
  • TIMEOUT /FileAPI/url/url-in-tags-revoke.window.html (#19978)
    • TIMEOUT [expected PASS] subtest: Fetching a blob URL immediately before revoking it works in <script> tags.

      Test timed out

  • OK /FileAPI/url/url-with-fetch.any.html (#21517)
    • PASS [expected FAIL] subtest: Revoke blob URL after calling fetch, fetch should succeed
  • OK /FileAPI/url/url-with-fetch.any.worker.html (#21517)
    • FAIL [expected PASS] subtest: Revoke blob URL after calling fetch, fetch should succeed

      promise_test: Unhandled rejection with value: object "TypeError: Network error: Blob URL store error: InvalidFileID"

  • OK /_mozilla/mozilla/getBoundingClientRect.html (#39668)
    • FAIL [expected PASS] subtest: getBoundingClientRect 1

      assert_equals: expected 62 but got 60.35

  • CRASH [expected PASS] /_mozilla/shadow-dom/move-element-with-ua-shadow-tree-crash.html (#39473)
  • CRASH [expected OK] /content-security-policy/meta/sandbox-iframe.html (#43478)
  • OK /css/css-animations/event-order.tentative.html (#39000)
    • PASS [expected FAIL] subtest: Same events on pseudo-elements follow the prescribed order
  • OK /css/css-cascade/layer-cssom-order-reverse.html (#36094)
    • PASS [expected FAIL] subtest: Delete layer invalidates @font-face
  • TIMEOUT [expected OK] /fetch/api/redirect/redirect-keepalive.https.any.html (#32153)
    • TIMEOUT [expected PASS] subtest: [keepalive][iframe][load] mixed content redirect; setting up

      Test timed out

  • OK [expected ERROR] /fetch/fetch-later/quota/same-origin-iframe/sandboxed-iframe.https.window.html (#41704)
  • OK /fetch/metadata/window-open.https.sub.html (#40339)
    • FAIL [expected PASS] subtest: Cross-site window, forced, reloaded

      The operation is insecure.

  • CRASH [expected OK] /html/browsers/browsing-the-web/navigating-across-documents/005.html (#27062)
  • OK /html/browsers/browsing-the-web/navigating-across-documents/replace-before-load/a-click.html (#28697)
    • FAIL [expected PASS] subtest: aElement.click() before the load event must NOT replace

      assert_equals: expected "http://web-platform.test:8000/common/blank.html?thereplacement" but got "http://web-platform.test:8000/html/browsers/browsing-the-web/navigating-across-documents/replace-before-load/resources/code-injector.html?pipe=sub(none)&code=%0A%20%20%20%20const%20a%20%3D%20document.createElement(%22a%22)%3B%0A%20%20%20%20a.href%20%3D%20%22%2Fcommon%2Fblank.html%3Fthereplacement%22%3B%0A%20%20%20%20document.currentScript.before(a)%3B%0A%20%20%20%20a.click()%3B%0A%20%20"

  • CRASH [expected OK] /html/browsers/history/the-location-interface/location-symbol-toprimitive.html
  • TIMEOUT [expected OK] /html/interaction/focus/the-autofocus-attribute/autofocus-dialog.html (#29087)
    • TIMEOUT [expected FAIL] subtest: <dialog>-contained autofocus element gets focused when the dialog is shown

      Test timed out

  • OK /html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2.html (#39703)
    • FAIL [expected PASS] subtest: Meta refresh of the original iframe is not blocked if moved into a sandboxed iframe

      uncaught exception: Error: assert_unreached: The iframe into which the meta was moved must not refresh Reached unreachable code

  • TIMEOUT [expected OK] /html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_other_frame_popup.sub.html (#39702)
    • TIMEOUT [expected FAIL] subtest: Sandboxed iframe can not navigate other frame's popup

      Test timed out

  • CRASH [expected ERROR] /html/semantics/forms/the-select-element/customizable-select/select-appearance-button-after-span.html
  • TIMEOUT [expected OK] /html/user-activation/navigation-state-reset-sameorigin.html
    • TIMEOUT [expected PASS] subtest: Post-navigation state reset.

      Test timed out

  • CRASH [expected OK] /html/webappapis/scripting/processing-model-2/window-onerror-with-cross-frame-event-listeners-5.html
  • OK /mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html (#41135)
    • FAIL [expected PASS] subtest: Video autoupgraded

      assert_equals: Length. expected 1 but got Infinity

    • FAIL [expected PASS] subtest: Video of other host autoupgraded

      assert_equals: Length. Other host expected 1 but got Infinity

  • OK /preload/link-header-preload-delay-onload.html (#39622)
    • FAIL [expected PASS] subtest: Makes sure that Link headers preload resources and block window.onload after resource discovery

      assert_true: expected true got false

  • TIMEOUT [expected OK] /preload/modulepreload-sri-importmap.html (#43354)
    • TIMEOUT [expected PASS] subtest: Script should not be loaded if modulepreload's integrity is invalid

      Test timed out

  • TIMEOUT [expected OK] /resource-timing/entries-for-network-errors.sub.https.html
    • TIMEOUT [expected FAIL] subtest: A ResourceTiming entry should be created for network error of type Mixed content

      Test timed out

    • NOTRUN [expected FAIL] subtest: A ResourceTiming entry should be created for network error of type only-if-cached resource that was not cached
    • NOTRUN [expected FAIL] subtest: A ResourceTiming entry should be created for network error of type too many redirects
    • NOTRUN [expected FAIL] subtest: A ResourceTiming entry should be created for network error of type network error for ORB-blocked response
  • OK /touch-events/single-tap-when-touchend-listener-use-sync-xhr.html (#41175)
    • FAIL [expected PASS] subtest: Click event should be fired when touchend opens synchronous XHR

      assert_equals: expected "touchend@div, mousedown@div, mouseup@div, click@div" but got "touchend@div, mousedown@div"

  • TIMEOUT [expected OK] /trusted-types/trusted-types-navigation.html?01-05 (#38975)
    • TIMEOUT [expected PASS] subtest: Navigate a window via anchor with javascript:-urls in report-only mode.

      Test timed out

    • NOTRUN [expected PASS] subtest: Navigate a window via anchor with javascript:-urls w/ default policy in report-only mode.
    • NOTRUN [expected PASS] subtest: Navigate a frame via anchor with javascript:-urls in enforcing mode.
  • OK [expected TIMEOUT] /trusted-types/trusted-types-navigation.html?06-10 (#37920)
    • PASS [expected FAIL] subtest: Navigate a frame via anchor with javascript:-urls in report-only mode.
    • PASS [expected TIMEOUT] subtest: Navigate a frame via anchor with javascript:-urls w/ default policy in report-only mode.
    • FAIL [expected NOTRUN] subtest: Navigate a window via anchor with javascript:-urls w/ a default policy throwing an exception in enforcing mode.

      promise_test: Unhandled rejection with value: "Unexpected message received: \"No securitypolicyviolation reported!\""

    • FAIL [expected NOTRUN] subtest: Navigate a window via anchor with javascript:-urls w/ a default policy throwing an exception in report-only mode.

      promise_test: Unhandled rejection with value: "Unexpected message received: \"No securitypolicyviolation reported!\""

  • OK /webdriver/tests/classic/element_click/navigate.py
    • FAIL [expected PASS] subtest: test_numbers_link

      webdriver.error.NoSuchWindowException: no such window (404): No such window

  • OK /webdriver/tests/classic/execute_async_script/promise.py
    • FAIL [expected PASS] subtest: test_promise_resolve

      AssertionError: no such window (404): No such window

  • OK /webdriver/tests/classic/execute_async_script/user_prompts.py
    • FAIL [expected PASS] subtest: test_accept[alert-None]

      webdriver.error.NoSuchWindowException: no such window (404): No such window

  • OK /webdriver/tests/classic/find_element_from_shadow_root/find.py
    • FAIL [expected PASS] subtest: test_null_parameter_value

      webdriver.error.NoSuchWindowException: no such window (404): No such window

  • OK /webdriver/tests/classic/get_alert_text/get.py
    • ERROR [expected PASS] subtest: test_no_top_browsing_context

      setup error: webdriver.error.NoSuchWindowException: no such window (404): No such window

  • OK /webdriver/tests/classic/get_computed_role/get.py
    • ERROR [expected FAIL] subtest: test_no_browsing_context

      setup error: webdriver.error.NoSuchElementException: no such element (404)

  • OK /webdriver/tests/classic/get_title/user_prompts.py
    • FAIL [expected PASS] subtest: test_accept[alert-None]

      webdriver.error.NoSuchWindowException: no such window (404)

  • OK [expected ERROR] /webxr/render_state_update.https.html (#27535)
Stable unexpected results that are known to be intermittent (17)
  • FAIL [expected PASS] /_mozilla/mozilla/sslfail.html (#10760)
  • TIMEOUT [expected OK] /_mozilla/mozilla/window_resize_event.html (#36741)
    • TIMEOUT [expected PASS] subtest: Popup onresize event fires after resizeTo

      Test timed out

  • OK [expected TIMEOUT] /content-security-policy/inheritance/document-write-iframe.html (#41195)
    • PASS [expected TIMEOUT] subtest: document.open() keeps inherited CSPs on transient about:blank.
  • OK /css/css-cascade/layer-font-face-override.html (#35935)
    • PASS [expected FAIL] subtest: @font-face override update with appended sheet 1
    • PASS [expected FAIL] subtest: @font-face override update with appended sheet 2
  • OK /css/css-fonts/generic-family-keywords-003.html (#38994)
    • FAIL [expected PASS] subtest: @font-face matching for quoted and unquoted sans-serif (drawing text in a canvas)

      assert_equals: quoted sans-serif matches  @font-face rule expected 125 but got 40

    • PASS [expected FAIL] subtest: @font-face matching for quoted and unquoted generic(kai) (drawing text in a canvas)
  • OK /fetch/metadata/generated/css-font-face.https.sub.tentative.html (#32732)
    • PASS [expected FAIL] subtest: sec-fetch-dest
    • PASS [expected FAIL] subtest: sec-fetch-user
  • OK /html/browsers/browsing-the-web/navigating-across-documents/navigation-unload-cross-origin.sub.window.html (#29056)
    • PASS [expected FAIL] subtest: Cross-origin navigation started from unload handler must be ignored
  • OK /html/browsers/history/the-history-interface/traverse_the_history_2.html (#21383)
    • FAIL [expected PASS] subtest: Multiple history traversals, last would be aborted

      assert_array_equals: Pages opened during history navigation expected property 1 to be 3 but got 2 (expected array [6, 3] got [6, 2])

  • OK /html/browsers/history/the-history-interface/traverse_the_history_4.html (#21383)
    • FAIL [expected PASS] subtest: Multiple history traversals, last would be aborted

      assert_array_equals: Pages opened during history navigation expected property 1 to be 5 but got 3 (expected array [6, 5] got [6, 3])

  • OK [expected TIMEOUT] /html/interaction/focus/the-autofocus-attribute/document-with-fragment-top.html (#28259)
    • FAIL [expected TIMEOUT] subtest: Autofocus elements in top-level browsing context's documents with "top" fragments should work.

      assert_not_equals: got disallowed value Element node <body></body>

  • TIMEOUT /html/interaction/focus/the-autofocus-attribute/supported-elements.html (#24145)
    • TIMEOUT [expected FAIL] subtest: Element with tabindex should support autofocus

      Test timed out

    • NOTRUN [expected TIMEOUT] subtest: Non-HTMLElement should not support autofocus
  • OK /navigation-timing/test-navigation-type-reload.html (#33334)
    • FAIL [expected PASS] subtest: Reload domComplete > Original domComplete

      assert_true: Reload domComplete > Original domComplete expected true got false

    • FAIL [expected PASS] subtest: Reload domInteractive > Original domInteractive

      assert_true: Reload domInteractive > Original domInteractive expected true got false

    • FAIL [expected PASS] subtest: Reload fetchStart > Original fetchStart

      assert_true: Reload fetchStart > Original fetchStart expected true got false

    • FAIL [expected PASS] subtest: Reload loadEventEnd > Original loadEventEnd

      assert_true: Reload loadEventEnd > Original loadEventEnd expected true got false

    • FAIL [expected PASS] subtest: Reload loadEventStart > Original loadEventStart

      assert_true: Reload loadEventStart > Original loadEventStart expected true got false

  • OK /resource-timing/buffer-full-add-then-clear.html (#40819)
    • FAIL [expected PASS] subtest: Test that if the buffer is cleared after entries were added to the secondary buffer, those entries make it into the primary one

      assert_equals: Number of entries does not match the expected value. expected 3 but got 0

  • CRASH [expected OK] /resource-timing/render-blocking-status-link.html (#41664)
  • OK /resource-timing/test_resource_timing.html (#25720)
    • PASS [expected FAIL] subtest: PerformanceEntry has correct name, initiatorType, startTime, and duration (xmlhttprequest)
  • OK /resource-timing/test_resource_timing.https.html (#25216)
    • FAIL [expected PASS] subtest: PerformanceEntry has correct name, initiatorType, startTime, and duration (xmlhttprequest)

      assert_equals: expected 66.50999999999999 but got 66.51

  • OK /webaudio/the-audio-api/the-audiobuffersourcenode-interface/sub-sample-buffer-stitching.html (#22849)
    • FAIL [expected PASS] subtest: buffer-stitching-1

      assert_approx_equals: Stitched sine‑wave buffers at sample rate 44100 sample[16680] |726.8916015625 - 0.47198569774627686| = 726.4196158647537 > 0.000090957 expected 0.47198569774627686 +/- 0.000090957 but got 726.8916015625

    • FAIL [expected PASS] subtest: buffer-stitching-2

      assert_approx_equals: Stitched sine‑wave buffers at sample rate 43800 sample[15738] |49.45671081542969 - 0.1448143869638443| = 49.31189642846584 > 0.0038986 expected 0.1448143869638443 +/- 0.0038986 but got 49.45671081542969

Stable unexpected results (8)
  • OK /content-security-policy/gen/top.http-rp/script-src-self/worker-import.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.http-rp/script-src-self/worker-import.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.
  • OK /content-security-policy/gen/top.http-rp/worker-src-self/worker-import.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.http-rp/worker-src-self/worker-import.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.
  • OK /content-security-policy/gen/top.meta/script-src-self/worker-import.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.meta/script-src-self/worker-import.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.
  • OK /content-security-policy/gen/top.meta/worker-src-self/worker-import.http.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-http origin and swap-origin redirection from http context.
  • OK /content-security-policy/gen/top.meta/worker-src-self/worker-import.https.html
    • PASS [expected FAIL] subtest: Content Security Policy: Expects blocked for worker-import to same-https origin and swap-origin redirection from https context.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 20, 2026

⚠️ Try run (#23341034837) failed!

mrobinson
mrobinson approved these changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mrobinson mrobinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good as soon as the content-security-policy crate is ready.

@TimvdLippe
script: Fix current URL for CSP requests
fb3596b 
The CSP crate was incorrectly using the request URL for both
checking if policies were matching, as well as reporting that
URL. However, the CSP specification uses the current URL to
check for policies and the url for reporting a violation.

Therefore, set the new current_url field for these requests,
leaving the ws scheme URLs as a special case. We also should
take redirects into account for navigations (which is only
relevant for forms), but LoadData currently has no notion of
keeping track of that.

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
@TimvdLippe TimvdLippe marked this pull request as ready for review March 22, 2026 09:19
@TimvdLippe TimvdLippe requested a review from gterzian as a code owner March 22, 2026 09:19
@servo-highfive servo-highfive added the S-awaiting-review There is new code that needs to be reviewed. label Mar 22, 2026
@TimvdLippe TimvdLippe enabled auto-merge March 22, 2026 09:19
@TimvdLippe TimvdLippe added this pull request to the merge queue Mar 22, 2026
@servo-highfive servo-highfive added the S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. label Mar 22, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Mar 22, 2026
@servo-highfive servo-highfive added S-tests-failed The changes caused existing tests to fail. and removed S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. labels Mar 22, 2026
@TimvdLippe TimvdLippe added this pull request to the merge queue Mar 22, 2026
@servo-highfive servo-highfive added S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. and removed S-tests-failed The changes caused existing tests to fail. labels Mar 22, 2026
Merged via the queue into servo:main with commit 7b9b75c Mar 22, 2026
39 checks passed
@TimvdLippe TimvdLippe deleted the fix-csp-redirects branch March 22, 2026 11:52
@servo-highfive servo-highfive removed the S-awaiting-merge The PR is in the process of compiling and running tests on the automated CI. label Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrobinson mrobinson mrobinson approved these changes

@gterzian gterzian Awaiting requested review from gterzian gterzian is a code owner

Assignees

No one assigned

Labels

S-awaiting-review There is new code that needs to be reviewed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TimvdLippe @mrobinson @servo-highfive