Implement is-element-nonceable (#36961)

Unfortunately while it now passes almost all cases in `tests/wpt/tests/content-security-policy/script-src/nonce-enforce-blocked.html`, the test in question doesn't pass yet as it requires all cases to be correct. Here, we still miss the "check for duplicate attributes during parsing". Since we don't have this information available yet from the parser, skip this for now. Part of #36437 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-06-06 16:45:39 +00:00 · 2025-05-11 17:38:13 +02:00 · 2025-05-11 17:38:13 +02:00 · 4821bc0ab0
commit 4821bc0ab0
parent dc0e7587bf
3 changed files with 30 additions and 6 deletions
--- a/components/script/dom/element.rs
+++ b/components/script/dom/element.rs
@ -125,6 +125,7 @@ use crate::dom::htmllinkelement::HTMLLinkElement;
 use crate::dom::htmlobjectelement::HTMLObjectElement;
 use crate::dom::htmloptgroupelement::HTMLOptGroupElement;
 use crate::dom::htmloutputelement::HTMLOutputElement;
+use crate::dom::htmlscriptelement::HTMLScriptElement;
 use crate::dom::htmlselectelement::HTMLSelectElement;
 use crate::dom::htmlslotelement::{HTMLSlotElement, Slottable};
 use crate::dom::htmlstyleelement::HTMLStyleElement;
@ -2174,6 +2175,34 @@ impl Element {
        };
    }

+    /// <https://www.w3.org/TR/CSP/#is-element-nonceable>
+    pub(crate) fn nonce_attribute_if_nonceable(&self) -> Option<String> {
+        // Step 1: If element does not have an attribute named "nonce", return "Not Nonceable".
+        let nonce_attribute = self.get_attribute(&ns!(), &local_name!("nonce"))?;
+        // Step 2: If element is a script element, then for each attribute of element’s attribute list:
+        if self.downcast::<HTMLScriptElement>().is_some() {
+            for attr in self.attrs().iter() {
+                // Step 2.1: If attribute’s name contains an ASCII case-insensitive match
+                // for "<script" or "<style", return "Not Nonceable".
+                let attr_name = attr.name().to_ascii_lowercase();
+                if attr_name.contains("<script") || attr_name.contains("<style") {
+                    return None;
+                }
+                // Step 2.2: If attribute’s value contains an ASCII case-insensitive match
+                // for "<script" or "<style", return "Not Nonceable".
+                let attr_value = attr.value().to_ascii_lowercase();
+                if attr_value.contains("<script") || attr_value.contains("<style") {
+                    return None;
+                }
+            }
+        }
+        // Step 3: If element had a duplicate-attribute parse error during tokenization, return "Not Nonceable".
+        // TODO(https://github.com/servo/servo/issues/4577 and https://github.com/whatwg/html/issues/3257):
+        // Figure out how to retrieve this information from the parser
+        // Step 4: Return "Nonceable".
+        Some(nonce_attribute.value().to_string().trim().to_owned())
+    }
+
    // https://dom.spec.whatwg.org/#insert-adjacent
    pub(crate) fn insert_adjacent(
        &self,