Check CSP for inline event handlers (#36510)

This also ensures that document now reports all violations and we set the correct directive. With these changes, all `script-src-attr-elem` WPT tests pass. Part of #36437 Requires servo/rust-content-security-policy#3 to land first Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-07-24 15:50:21 +01:00 · 2025-04-17 23:11:25 +02:00 · 2025-04-17 23:11:25 +02:00 · 2a81987590
commit 2a81987590
parent 70b3e24816
64 changed files with 58 additions and 569 deletions
--- a/components/script/dom/eventtarget.rs
+++ b/components/script/dom/eventtarget.rs
@ -11,6 +11,7 @@ use std::mem;
 use std::ops::{Deref, DerefMut};
 use std::rc::Rc;

+use content_security_policy as csp;
 use deny_public_fields::DenyPublicFields;
 use dom_struct::dom_struct;
 use fnv::FnvHasher;
@ -551,9 +552,25 @@ impl EventTarget {
        url: ServoUrl,
        line: usize,
        ty: &str,
-        source: DOMString,
+        source: &str,
    ) {
-        let handler = InternalRawUncompiledHandler { source, line, url };
+        if let Some(element) = self.downcast::<Element>() {
+            let doc = element.owner_document();
+            if doc.should_elements_inline_type_behavior_be_blocked(
+                element.upcast(),
+                csp::InlineCheckType::ScriptAttribute,
+                source,
+            ) == csp::CheckResult::Blocked
+            {
+                return;
+            }
+        };
+
+        let handler = InternalRawUncompiledHandler {
+            source: DOMString::from(source),
+            line,
+            url,
+        };
        self.set_inline_event_listener(
            Atom::from(ty),
            Some(InlineEventListener::Uncompiled(handler)),