Implement CSP check for Trusted Types (#36363)

The algorithm [1] is implemented in the content-security-policy package. Requires https://github.com/rust-ammonia/rust-content-security-policy/pull/56 This is part of #36258 [1]: https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-trusted-type-policy-creation-be-blocked-by-content-security-policy Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-06-06 16:45:39 +00:00 · 2025-04-14 18:44:50 +02:00 · 2025-04-14 18:44:50 +02:00 · 4e1ea81992
commit 4e1ea81992
parent d46a17a487
10 changed files with 14 additions and 60 deletions
--- a/components/script/dom/trustedtypepolicyfactory.rs
+++ b/components/script/dom/trustedtypepolicyfactory.rs
@ -3,6 +3,7 @@
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
 use std::cell::RefCell;
 use content_security_policy::CheckResult;
 use dom_struct::dom_struct;
 use html5ever::{LocalName, Namespace, QualName, local_name, namespace_url, ns};
 use js::rust::HandleValue;
@ -52,13 +53,21 @@ impl TrustedTypePolicyFactory {
        global: &GlobalScope,
        can_gc: CanGc,
    ) -> Fallible<DomRoot<TrustedTypePolicy>> {
        // TODO(36258): implement proper CSP check
        // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
        // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
-        let allowed_by_csp = true;
+        let (allowed_by_csp, violations) = if let Some(csp_list) = global.get_csp_list() {
            csp_list.is_trusted_type_policy_creation_allowed(
                policy_name.clone(),
                self.policy_names.borrow().clone(),
            )
        } else {
            (CheckResult::Allowed, Vec::new())
        };
        global.report_csp_violations(violations);
        // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
-        if !allowed_by_csp {
+        if allowed_by_csp == CheckResult::Blocked {
            return Err(Error::Type("Not allowed by CSP".to_string()));
        }
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini
@ -1,3 +0,0 @@
 [TrustedTypePolicy-CSP-no-name.html]
  [No name list given - policy creation fails.]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini
@ -1,3 +0,0 @@
 [TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html]
  [No name list given - policy creation throws]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini
@ -1,3 +0,0 @@
 [TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html]
  [Cannot create policy with name 'default' - policy creation throws]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini
@ -1,6 +0,0 @@
 [TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html]
  [Cannot create policy with name 'SomeName' - policy creation throws]
    expected: FAIL
  [Cannot create policy with name 'default' - policy creation throws]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini
+++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini
@ -1,66 +1,30 @@
 [should-trusted-type-policy-creation-be-blocked-by-csp-001.html]
  [single enforce policy with directive "trusted-type tt-policy-name"]
    expected: FAIL
  [single report-only policy with directive "trusted-type tt-policy-name"]
    expected: FAIL
  [single enforce policy with directive "trusted-type *"]
    expected: FAIL
  [single report-only policy with directive "trusted-type *"]
    expected: FAIL
  [single enforce policy with directive "trusted-type 'none'"]
    expected: FAIL
  [single report-only policy with directive "trusted-type 'none'"]
    expected: FAIL
  [single enforce policy with directive "trusted-type 'allow-duplicates'"]
    expected: FAIL
  [single report-only policy with directive "trusted-type 'allow-duplicates'"]
    expected: FAIL
  [single enforce policy with directive "trusted-type tt-policy-name 'allow-duplicates'"]
    expected: FAIL
  [single report-only policy with directive "trusted-type tt-policy-name 'allow-duplicates'"]
    expected: FAIL
  [single enforce policy with directive "trusted-type 'none' 'allow-duplicates'"]
    expected: FAIL
  [single report-only policy with directive "trusted-type 'none' 'allow-duplicates'"]
    expected: FAIL
  [single enforce policy with directive "trusted-type 'none' tt-policy-name"]
    expected: FAIL
  [single report-only policy with directive "trusted-type 'none' tt-policy-name"]
    expected: FAIL
  [single enforce policy with directive "trusted-type 'none' *"]
    expected: FAIL
  [single report-only policy with directive "trusted-type 'none' *"]
    expected: FAIL
  [single enforce policy with directive "trusted-type tt-policy-name *"]
    expected: FAIL
  [single report-only policy with directive "trusted-type tt-policy-name *"]
    expected: FAIL
  [single enforce policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"]
    expected: FAIL
  [single report-only policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"]
    expected: FAIL
  [Single enforce policy with directive "trusted-type none"]
    expected: FAIL
  [Single enforce policy with directive "trusted-type allow-duplicates"]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini
@ -1,3 +0,0 @@
 [trusted-types-duplicate-names-list.html]
  [TrustedTypePolicyFactory and policy list in CSP.]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini
@ -1,4 +1,5 @@
 [trusted-types-reporting-clipping-of-sample.html]
  expected: CRASH
  [Clipping of violation sample for createPolicy(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini
@ -1,4 +1,5 @@
 [trusted-types-reporting-clipping-of-sample.tentative.html]
  expected: CRASH
  [Clipping of violation sample for createPolicy(𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆)]
    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini
@ -1,6 +1,3 @@
 [trusted-types-sandbox-allow-scripts.html]
  [window.trustedTypes.createPolicy() in a sandboxed page with allow-scripts.]
    expected: FAIL
  [Default Trusted Types policy in a sandboxed page with allow-scripts.]
    expected: FAIL