Check CSP for inline event handlers (#36510)

This also ensures that document now reports all violations and we set the correct directive. With these changes, all `script-src-attr-elem` WPT tests pass. Part of #36437 Requires servo/rust-content-security-policy#3 to land first Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-06-06 16:45:39 +00:00 · 2025-04-17 23:11:25 +02:00 · 2025-04-17 23:11:25 +02:00 · 2a81987590
commit 2a81987590
parent 70b3e24816
64 changed files with 58 additions and 569 deletions
--- a/components/script/dom/document.rs
+++ b/components/script/dom/document.rs
@ -4017,13 +4017,18 @@ impl Document {
                .get_attribute(&ns!(), &local_name!("nonce"))
                .map(|attr| Cow::Owned(attr.value().to_string())),
        };
-        // TODO: Instead of ignoring violations, report them.
-        self.get_csp_list()
-            .map(|c| {
-                c.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
-                    .0
-            })
-            .unwrap_or(csp::CheckResult::Allowed)
+        let (result, violations) = match self.get_csp_list() {
+            None => {
+                return csp::CheckResult::Allowed;
+            },
+            Some(csp_list) => {
+                csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
+            },
+        };
+
+        self.global().report_csp_violations(violations);
+
+        result
    }

    /// Prevent any JS or layout from running until the corresponding call to