diff --git a/components/script/dom/csp.rs b/components/script/dom/csp.rs index f9e552cf1b5..b7eb2a4d5bb 100644 --- a/components/script/dom/csp.rs +++ b/components/script/dom/csp.rs @@ -13,7 +13,7 @@ use content_security_policy::{ CheckResult, CspList, Destination, Element as CspElement, Initiator, NavigationCheckType, Origin, ParserMetadata, PolicyDisposition, PolicySource, Request, ViolationResource, }; -use http::HeaderMap; +use http::header::{HeaderMap, HeaderValue, ValueIter}; use hyper_serde::Serde; use js::rust::describe_scripted_caller; @@ -233,6 +233,9 @@ impl GlobalCspReporting for GlobalScope { element: Option<&Element>, source_position: Option, ) { + if violations.is_empty() { + return; + } let source_position = source_position.unwrap_or_else(compute_scripted_caller_source_position); for violation in violations { @@ -297,35 +300,43 @@ impl GlobalCspReporting for GlobalScope { } } -/// -pub(crate) fn parse_csp_list_from_metadata(headers: &Option>) -> Option { - // TODO: Implement step 1 (local scheme special case) - let headers = headers.as_ref()?; - let mut csp = headers.get_all("content-security-policy").iter(); - // This silently ignores the CSP if it contains invalid Unicode. - // We should probably report an error somewhere. - let c = csp.next().and_then(|c| c.to_str().ok())?; - let mut csp_list = CspList::parse(c, PolicySource::Header, PolicyDisposition::Enforce); - for c in csp { - let c = c.to_str().ok()?; - csp_list.append(CspList::parse( - c, - PolicySource::Header, - PolicyDisposition::Enforce, - )); +fn parse_and_potentially_append_to_csp_list( + old_csp_list: Option, + csp_header_iter: ValueIter, + disposition: PolicyDisposition, +) -> Option { + let mut csp_list = old_csp_list; + for header in csp_header_iter { + // This silently ignores the CSP if it contains invalid Unicode. + // We should probably report an error somewhere. + let new_csp_list = header + .to_str() + .ok() + .map(|value| CspList::parse(value, PolicySource::Header, disposition)); + if let Some(new_csp_list_value) = new_csp_list { + match csp_list { + None => csp_list = Some(new_csp_list_value), + Some(ref mut csp_list) => csp_list.append(new_csp_list_value), + }; + } } - let csp_report = headers - .get_all("content-security-policy-report-only") - .iter(); - // This silently ignores the CSP if it contains invalid Unicode. - // We should probably report an error somewhere. - for c in csp_report { - let c = c.to_str().ok()?; - csp_list.append(CspList::parse( - c, - PolicySource::Header, - PolicyDisposition::Report, - )); - } - Some(csp_list) + csp_list +} + +/// +pub(crate) fn parse_csp_list_from_metadata(headers: &Option>) -> Option { + let headers = headers.as_ref()?; + let csp_enforce_list = parse_and_potentially_append_to_csp_list( + None, + headers.get_all("content-security-policy").iter(), + PolicyDisposition::Enforce, + ); + + parse_and_potentially_append_to_csp_list( + csp_enforce_list, + headers + .get_all("content-security-policy-report-only") + .iter(), + PolicyDisposition::Report, + ) } diff --git a/tests/wpt/meta/MANIFEST.json b/tests/wpt/meta/MANIFEST.json index 9f360b37172..f439e74f0ff 100644 --- a/tests/wpt/meta/MANIFEST.json +++ b/tests/wpt/meta/MANIFEST.json @@ -577733,7 +577733,7 @@ ] ], "reporting-api-report-only-sends-reports-on-violation.https.sub.html": [ - "302025669d4417db670b6ebba18a6a49aed4e2eb", + "89e7357fbb9022cc9d068054151a9bf87d846276", [ null, {} diff --git a/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini b/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini index cb18d19fb52..a230032e64c 100644 --- a/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini +++ b/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini @@ -1,16 +1,7 @@ [dedicatedworker-report-only.html] expected: TIMEOUT - [Cross-origin 'fetch()'.] - expected: TIMEOUT - - [Cross-origin XHR.] - expected: NOTRUN - - [Same-origin => cross-origin 'fetch()'.] - expected: NOTRUN - [WebSocket.] - expected: NOTRUN + expected: TIMEOUT [connect-src-self-report-only] expected: NOTRUN diff --git a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini b/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini deleted file mode 100644 index 215ef61c88a..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini +++ /dev/null @@ -1,7 +0,0 @@ -[reporting-api-report-only-sends-reports-on-violation.https.sub.html] - expected: TIMEOUT - [Event is fired] - expected: TIMEOUT - - [Violation report status OK.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini b/tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini deleted file mode 100644 index b691cd78d4f..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[multiple-report-policies.html] - [2-Violation report status OK] - expected: FAIL - - [1-Violation report status OK] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini index 5b221057d2f..e71e730e6b8 100644 --- a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini +++ b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini @@ -1,6 +1,3 @@ [report-multiple-violations-01.html] - [Violation report status OK.] - expected: FAIL - [Test number of sent reports.] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini index 9934866aef7..e80a84c2a91 100644 --- a/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini +++ b/tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini @@ -1,6 +1,3 @@ [report-multiple-violations-02.html] - [Violation report status OK.] - expected: FAIL - [Test number of sent reports.] expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini b/tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini deleted file mode 100644 index 0c3690b9bec..00000000000 --- a/tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[report-only-unsafe-eval.html] - [SPV event is still raised] - expected: FAIL - - [Violation report status OK.] - expected: FAIL diff --git a/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini b/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini deleted file mode 100644 index e0ac35d5d2d..00000000000 --- a/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[eval-allowed-in-report-only-mode-and-sends-report.html] - [Violation report status OK.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/default-policy-report-only.html.ini b/tests/wpt/meta/trusted-types/default-policy-report-only.html.ini deleted file mode 100644 index 9e3da0bd494..00000000000 --- a/tests/wpt/meta/trusted-types/default-policy-report-only.html.ini +++ /dev/null @@ -1,31 +0,0 @@ -[default-policy-report-only.html] - expected: TIMEOUT - [Count SecurityPolicyViolation events.] - expected: TIMEOUT - - [script.src default] - expected: FAIL - - [script.src throw] - expected: FAIL - - [script.src typeerror] - expected: FAIL - - [div.innerHTML default] - expected: FAIL - - [div.innerHTML throw] - expected: FAIL - - [div.innerHTML typeerror] - expected: FAIL - - [script.text default] - expected: FAIL - - [script.text throw] - expected: FAIL - - [script.text typeerror] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/empty-default-policy-report-only.html.ini b/tests/wpt/meta/trusted-types/empty-default-policy-report-only.html.ini deleted file mode 100644 index 4400ae8a1b3..00000000000 --- a/tests/wpt/meta/trusted-types/empty-default-policy-report-only.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[empty-default-policy-report-only.html] - expected: TIMEOUT - [Count SecurityPolicyViolation events.] - expected: TIMEOUT diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini index 65aaf704101..11b8c617d21 100644 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini +++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini @@ -18,8 +18,5 @@ [invalid directive "trusted-type _TTP" (no ascii whitespace)] expected: NOTRUN - [non-ASCII trusted-types directives are discarded ("polĂ­tica")] - expected: TIMEOUT - [directive "trusted-type _TTP1_%09_TTP2_%0A%20_TTP3_%0C_TTP4_%0D_TTP5_%20_TTP6_" (required-ascii-whitespace)] - expected: NOTRUN + expected: TIMEOUT diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-DedicatedWorker-create-policy.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-DedicatedWorker-create-policy.html.ini deleted file mode 100644 index ae3da9755b3..00000000000 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-DedicatedWorker-create-policy.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[trusted-types-reporting-check-report-DedicatedWorker-create-policy.html] - [Test report-uri works with trusted-types violation.] - expected: FAIL - - [Test number of sent reports.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-Window-create-policy.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-Window-create-policy.html.ini deleted file mode 100644 index 1e52ae28724..00000000000 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-Window-create-policy.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[trusted-types-reporting-check-report-Window-create-policy.html] - [Test report-uri works with trusted-types violation.] - expected: FAIL - - [Test number of sent reports.] - expected: FAIL diff --git a/tests/wpt/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html b/tests/wpt/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html index 302025669d4..89e7357fbb9 100644 --- a/tests/wpt/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html +++ b/tests/wpt/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html @@ -7,16 +7,16 @@ -