Inherit CSP for blob workers (#38033)

Workers created from Blobs inherit their CSP. Now we inherit the CSP and set the correct base API url. The base API url should be used when determining the report-uri endpoint. Otherwise, the blob URL would be used as a base, which is invalid and the report wouldn't be sent. Also create a helper method to concatenate two optionals of CSPList, which was used in several places. Part of #4577 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-08-06 22:15:33 +01:00 · 2025-07-17 10:14:20 +02:00 · 2025-07-17 10:14:20 +02:00 · 18d1a62add
commit 18d1a62add
parent 439cb00e31
27 changed files with 116 additions and 236 deletions
--- a/components/script/dom/dedicatedworkerglobalscope.rs
+++ b/components/script/dom/dedicatedworkerglobalscope.rs
@ -11,18 +11,19 @@ use constellation_traits::{WorkerGlobalScopeInit, WorkerScriptLoadOrigin};
 use crossbeam_channel::{Receiver, Sender, unbounded};
 use devtools_traits::{DevtoolScriptControlMsg, ScriptToDevtoolsControlMsg, SourceInfo};
 use dom_struct::dom_struct;
+use headers::{HeaderMapExt, ReferrerPolicy as ReferrerPolicyHeader};
 use ipc_channel::ipc::IpcReceiver;
 use ipc_channel::router::ROUTER;
 use js::jsapi::{Heap, JS_AddInterruptCallback, JSContext, JSObject};
 use js::jsval::UndefinedValue;
 use js::rust::{CustomAutoRooter, CustomAutoRooterGuard, HandleValue};
-use net_traits::IpcSend;
 use net_traits::image_cache::ImageCache;
 use net_traits::policy_container::PolicyContainer;
 use net_traits::request::{
    CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata, Referrer, RequestBuilder,
    RequestMode,
 };
+use net_traits::{IpcSend, Metadata};
 use servo_rand::random;
 use servo_url::{ImmutableOrigin, ServoUrl};
 use style::thread_state::{self, ThreadState};
@ -393,7 +394,7 @@ impl DedicatedWorkerGlobalScope {
                    .referrer_policy(referrer_policy)
                    .insecure_requests_policy(insecure_requests_policy)
                    .has_trustworthy_ancestor_origin(current_global_ancestor_trustworthy)
-                    .policy_container(policy_container)
+                    .policy_container(policy_container.clone())
                    .origin(origin);

                let runtime = unsafe {
@ -481,7 +482,11 @@ impl DedicatedWorkerGlobalScope {
                    Ok((metadata, bytes)) => (metadata, bytes),
                };
                scope.set_url(metadata.final_url.clone());
-                scope.set_csp_list(parse_csp_list_from_metadata(&metadata.headers));
+                Self::initialize_policy_container_for_worker_global_scope(
+                    scope,
+                    &metadata,
+                    &policy_container,
+                );
                scope.set_endpoints_list(ReportingEndpoint::parse_reporting_endpoints_header(
                    &metadata.final_url.clone(),
                    &metadata.headers,
@ -549,6 +554,39 @@ impl DedicatedWorkerGlobalScope {
            .expect("Thread spawning failed")
    }

+    /// <https://html.spec.whatwg.org/multipage/#initialize-worker-policy-container> and
+    /// <https://html.spec.whatwg.org/multipage/#creating-a-policy-container-from-a-fetch-response>
+    fn initialize_policy_container_for_worker_global_scope(
+        scope: &WorkerGlobalScope,
+        metadata: &Metadata,
+        parent_policy_container: &PolicyContainer,
+    ) {
+        // Step 1. If workerGlobalScope's url is local but its scheme is not "blob":
+        //
+        // Note that we also allow for blob here, as the parent_policy_container is in both cases
+        // the container that we need to clone.
+        if metadata.final_url.is_local_scheme() {
+            // Step 1.2. Set workerGlobalScope's policy container to a clone of workerGlobalScope's
+            // owner set[0]'s relevant settings object's policy container.
+            //
+            // Step 1. If response's URL's scheme is "blob", then return a clone of response's URL's
+            // blob URL entry's environment's policy container.
+            scope.set_csp_list(parent_policy_container.csp_list.clone());
+            scope.set_referrer_policy(parent_policy_container.get_referrer_policy());
+            return;
+        }
+        // Step 3. Set result's CSP list to the result of parsing a response's Content Security Policies given response.
+        scope.set_csp_list(parse_csp_list_from_metadata(&metadata.headers));
+        // Step 5. Set result's referrer policy to the result of parsing the `Referrer-Policy`
+        // header given response. [REFERRERPOLICY]
+        let referrer_policy = metadata
+            .headers
+            .as_ref()
+            .and_then(|headers| headers.typed_get::<ReferrerPolicyHeader>())
+            .into();
+        scope.set_referrer_policy(referrer_policy);
+    }
+
    /// The non-None value of the `worker` field can contain a rooted [`TrustedWorkerAddress`]
    /// version of the main thread's worker object. This is set while handling messages and then
    /// unset otherwise, ensuring that the main thread object can be garbage collected. See