`frame-src` WPT test expects path to be stripped when loading cross-origin URL

[TimvdLippe]

https://wpt.fyi/results/content-security-policy/frame-src/frame-src-blocked-path-matching.sub.html?label=experimental&label=master&aligned asserts the following:

frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/";

window.addEventListener('securitypolicyviolation', t.step_func_done(e => {
  assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}");
  assert_equals(e.effectiveDirective, "frame-src");
}), { once: true });

Servo implements the spec and does not pass this testcase. The reason is that blockedURI in Servo results in https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/ instead of only the domain. I couldn't find any place in the spec that explains why we should do that, other than https://w3c.github.io/webappsec-csp/#source-list-paths-and-redirects Here both cross-origin and paths are mentioned, but in the context of redirects. The testcase does not use redirects.

That said, all browsers are passing this test. Therefore, should we update the spec to handle this case, or update the test according to the spec?

To me, this assertion feels wrong, since why would we change the URL reported if the original URL is the one we always return. That's what other directives do, so why would frame-src do something different?

[antosart]

See also web-platform-tests/wpt#27384