From 4e1ea819923ca6eac924d858b228e84631204000 Mon Sep 17 00:00:00 2001 From: Tim van der Lippe Date: Mon, 14 Apr 2025 18:44:50 +0200 Subject: [PATCH] Implement CSP check for Trusted Types (#36363) The algorithm [1] is implemented in the content-security-policy package. Requires https://github.com/rust-ammonia/rust-content-security-policy/pull/56 This is part of #36258 [1]: https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-trusted-type-policy-creation-be-blocked-by-content-security-policy Signed-off-by: Tim van der Lippe Co-authored-by: Josh Matthews --- .../script/dom/trustedtypepolicyfactory.rs | 15 ++++++-- .../TrustedTypePolicy-CSP-no-name.html.ini | 3 -- ...reatePolicy-cspTests-noNamesGiven.html.ini | 3 -- ...atePolicy-cspTests-none-none-name.html.ini | 3 -- ...y-createPolicy-cspTests-none-none.html.ini | 6 ---- ...cy-creation-be-blocked-by-csp-001.html.ini | 36 ------------------- ...rusted-types-duplicate-names-list.html.ini | 3 -- ...ypes-reporting-clipping-of-sample.html.ini | 1 + ...ting-clipping-of-sample.tentative.html.ini | 1 + ...usted-types-sandbox-allow-scripts.html.ini | 3 -- 10 files changed, 14 insertions(+), 60 deletions(-) delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini delete mode 100644 tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini diff --git a/components/script/dom/trustedtypepolicyfactory.rs b/components/script/dom/trustedtypepolicyfactory.rs index 275d60ec707..64ae1f8ab11 100644 --- a/components/script/dom/trustedtypepolicyfactory.rs +++ b/components/script/dom/trustedtypepolicyfactory.rs @@ -3,6 +3,7 @@ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ use std::cell::RefCell; +use content_security_policy::CheckResult; use dom_struct::dom_struct; use html5ever::{LocalName, Namespace, QualName, local_name, namespace_url, ns}; use js::rust::HandleValue; @@ -52,13 +53,21 @@ impl TrustedTypePolicyFactory { global: &GlobalScope, can_gc: CanGc, ) -> Fallible> { - // TODO(36258): implement proper CSP check // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by // Content Security Policy? algorithm with global, policyName and factory’s created policy names value. - let allowed_by_csp = true; + let (allowed_by_csp, violations) = if let Some(csp_list) = global.get_csp_list() { + csp_list.is_trusted_type_policy_creation_allowed( + policy_name.clone(), + self.policy_names.borrow().clone(), + ) + } else { + (CheckResult::Allowed, Vec::new()) + }; + + global.report_csp_violations(violations); // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps. - if !allowed_by_csp { + if allowed_by_csp == CheckResult::Blocked { return Err(Error::Type("Not allowed by CSP".to_string())); } diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini deleted file mode 100644 index 591df6dd0b5..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[TrustedTypePolicy-CSP-no-name.html] - [No name list given - policy creation fails.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini deleted file mode 100644 index 77cedecc725..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html] - [No name list given - policy creation throws] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini deleted file mode 100644 index 25337f9ae52..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html] - [Cannot create policy with name 'default' - policy creation throws] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini deleted file mode 100644 index 1a72660bc77..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html] - [Cannot create policy with name 'SomeName' - policy creation throws] - expected: FAIL - - [Cannot create policy with name 'default' - policy creation throws] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini index a4f07095018..097af84d4ee 100644 --- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini +++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini @@ -1,66 +1,30 @@ [should-trusted-type-policy-creation-be-blocked-by-csp-001.html] - [single enforce policy with directive "trusted-type tt-policy-name"] - expected: FAIL - [single report-only policy with directive "trusted-type tt-policy-name"] expected: FAIL - [single enforce policy with directive "trusted-type *"] - expected: FAIL - [single report-only policy with directive "trusted-type *"] expected: FAIL - [single enforce policy with directive "trusted-type 'none'"] - expected: FAIL - [single report-only policy with directive "trusted-type 'none'"] expected: FAIL - [single enforce policy with directive "trusted-type 'allow-duplicates'"] - expected: FAIL - [single report-only policy with directive "trusted-type 'allow-duplicates'"] expected: FAIL - [single enforce policy with directive "trusted-type tt-policy-name 'allow-duplicates'"] - expected: FAIL - [single report-only policy with directive "trusted-type tt-policy-name 'allow-duplicates'"] expected: FAIL - [single enforce policy with directive "trusted-type 'none' 'allow-duplicates'"] - expected: FAIL - [single report-only policy with directive "trusted-type 'none' 'allow-duplicates'"] expected: FAIL - [single enforce policy with directive "trusted-type 'none' tt-policy-name"] - expected: FAIL - [single report-only policy with directive "trusted-type 'none' tt-policy-name"] expected: FAIL - [single enforce policy with directive "trusted-type 'none' *"] - expected: FAIL - [single report-only policy with directive "trusted-type 'none' *"] expected: FAIL - [single enforce policy with directive "trusted-type tt-policy-name *"] - expected: FAIL - [single report-only policy with directive "trusted-type tt-policy-name *"] expected: FAIL - [single enforce policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"] - expected: FAIL - [single report-only policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"] expected: FAIL - - [Single enforce policy with directive "trusted-type none"] - expected: FAIL - - [Single enforce policy with directive "trusted-type allow-duplicates"] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini b/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini deleted file mode 100644 index d9a935f2582..00000000000 --- a/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini +++ /dev/null @@ -1,3 +0,0 @@ -[trusted-types-duplicate-names-list.html] - [TrustedTypePolicyFactory and policy list in CSP.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini index be0bc8fc820..f15d2be7761 100644 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini +++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini @@ -1,4 +1,5 @@ [trusted-types-reporting-clipping-of-sample.html] + expected: CRASH [Clipping of violation sample for createPolicy(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini index 4afc492c92e..628ee2e4013 100644 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini +++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini @@ -1,4 +1,5 @@ [trusted-types-reporting-clipping-of-sample.tentative.html] + expected: CRASH [Clipping of violation sample for createPolicy(𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆)] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini b/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini index 4d9fcb44f1d..7053da4f6d0 100644 --- a/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini +++ b/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini @@ -1,6 +1,3 @@ [trusted-types-sandbox-allow-scripts.html] - [window.trustedTypes.createPolicy() in a sandboxed page with allow-scripts.] - expected: FAIL - [Default Trusted Types policy in a sandboxed page with allow-scripts.] expected: FAIL