Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-23 07:13:52 +01:00
Code Issues Projects Releases Packages Wiki Activity

Check CSP for inline event handlers (#36510)

Browse source 
This also ensures that document now reports all violations and we set
the correct directive.

With these changes, all `script-src-attr-elem` WPT tests pass.

Part of #36437 

Requires servo/rust-content-security-policy#3 to land first

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-04-17 23:11:25 +02:00 committed by GitHub
parent 70b3e24816
commit 2a81987590
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
64 changed files with 58 additions and 569 deletions
Download patch file Download diff file Expand all files Collapse all files

11
components/script/dom/globalscope.rs
View file

@ -3450,12 +3450,15 @@ impl GlobalScope {
pub(crate) fn report_csp_violations(&self, violations: Vec<Violation>) {
for violation in violations {
let sample = match violation.resource {
ViolationResource::Inline { .. } | ViolationResource::Url(_) => None,
ViolationResource::TrustedTypePolicy { sample } => Some(sample),
let (sample, resource) = match violation.resource {
ViolationResource::Inline { .. } => (None, "inline".to_owned()),
ViolationResource::Url(url) => (None, url.into()),
ViolationResource::TrustedTypePolicy { sample } => {
(Some(sample), "trusted-types-policy".to_owned())
},
};
let report = CSPViolationReportBuilder::default()
.resource("eval".to_owned())
.resource(resource)
.sample(sample)
.effective_directive(violation.directive.name)
.build(self);