Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-19 13:23:46 +01:00
Code Issues Projects Releases Packages Wiki Activity

Inherit CSP for blob workers (#38033)

Browse source 
Workers created from Blobs inherit their CSP. Now we inherit the CSP and
set the correct base API url. The base API url should be used when
determining the
report-uri endpoint. Otherwise, the blob URL would be used as a base,
which is invalid and the report wouldn't be sent.

Also create a helper method to concatenate two optionals of CSPList,
which was used in several places.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-07-17 10:14:20 +02:00 committed by GitHub
parent 439cb00e31
commit 18d1a62add
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 116 additions and 236 deletions
Download patch file Download diff file Expand all files Collapse all files

10
components/script/security_manager.rs
View file

@ -19,7 +19,7 @@ use crate::conversions::Convert;
use crate::dom::bindings::inheritance::Castable;
use crate::dom::bindings::refcounted::Trusted;
use crate::dom::bindings::root::DomRoot;
use crate::dom::csp::{GlobalCspReporting, Violation};
use crate::dom::csp::Violation;
use crate::dom::csppolicyviolationreport::{
CSPReportUriViolationReport, SecurityPolicyViolationReport,
};
@ -99,6 +99,9 @@ impl CSPViolationReportTask {
for token in &report_uri_directive.value {
// Step 3.4.2.1. Let endpoint be the result of executing the URL parser with token as the input,
// and violations url as the base URL.
//
// TODO: Figure out if this should be the URL of the containing document or not in case
// the url points to a blob
let Ok(endpoint) = ServoUrl::parse_with_base(Some(&global.get_url()), token) else {
// Step 3.4.2.2. If endpoint is not a valid URL, skip the remaining substeps.
continue;
@ -224,10 +227,7 @@ impl FetchResponseListener for CSPReportUriFetchListener {
submit_timing(self, CanGc::note())
}
fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<Violation>) {
let global = &self.resource_timing_global();
global.report_csp_violations(violations, None, None);
}
fn process_csp_violations(&mut self, _request_id: RequestId, _violations: Vec<Violation>) {}
}
impl ResourceTimingListener for CSPReportUriFetchListener {