Implement CSP check for Trusted Types (#36363)

The algorithm [1] is implemented in the content-security-policy package. Requires https://github.com/rust-ammonia/rust-content-security-policy/pull/56 This is part of #36258 [1]: https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-trusted-type-policy-creation-be-blocked-by-content-security-policy Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-08-06 06:00:15 +01:00 · 2025-04-14 18:44:50 +02:00 · 2025-04-14 18:44:50 +02:00 · 4e1ea81992
commit 4e1ea81992
parent d46a17a487
10 changed files with 14 additions and 60 deletions
--- a/components/script/dom/trustedtypepolicyfactory.rs
+++ b/components/script/dom/trustedtypepolicyfactory.rs
@ -3,6 +3,7 @@
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
 use std::cell::RefCell;

+use content_security_policy::CheckResult;
 use dom_struct::dom_struct;
 use html5ever::{LocalName, Namespace, QualName, local_name, namespace_url, ns};
 use js::rust::HandleValue;
@ -52,13 +53,21 @@ impl TrustedTypePolicyFactory {
        global: &GlobalScope,
        can_gc: CanGc,
    ) -> Fallible<DomRoot<TrustedTypePolicy>> {
-        // TODO(36258): implement proper CSP check
        // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
        // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
-        let allowed_by_csp = true;
+        let (allowed_by_csp, violations) = if let Some(csp_list) = global.get_csp_list() {
+            csp_list.is_trusted_type_policy_creation_allowed(
+                policy_name.clone(),
+                self.policy_names.borrow().clone(),
+            )
+        } else {
+            (CheckResult::Allowed, Vec::new())
+        };
+
+        global.report_csp_violations(violations);

        // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
-        if !allowed_by_csp {
+        if allowed_by_csp == CheckResult::Blocked {
            return Err(Error::Type("Not allowed by CSP".to_string()));
        }

--- a/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicy-CSP-no-name.html.ini
@ -1,3 +0,0 @@
-[TrustedTypePolicy-CSP-no-name.html]
-  [No name list given - policy creation fails.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html.ini
@ -1,3 +0,0 @@
-[TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html]
-  [No name list given - policy creation throws]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html.ini
@ -1,3 +0,0 @@
-[TrustedTypePolicyFactory-createPolicy-cspTests-none-none-name.html]
-  [Cannot create policy with name 'default' - policy creation throws]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini
+++ b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html.ini
@ -1,6 +0,0 @@
-[TrustedTypePolicyFactory-createPolicy-cspTests-none-none.html]
-  [Cannot create policy with name 'SomeName' - policy creation throws]
-    expected: FAIL
-
-  [Cannot create policy with name 'default' - policy creation throws]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini
+++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-001.html.ini
@ -1,66 +1,30 @@
 [should-trusted-type-policy-creation-be-blocked-by-csp-001.html]
-  [single enforce policy with directive "trusted-type tt-policy-name"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type tt-policy-name"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type *"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type *"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type 'none'"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type 'none'"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type 'allow-duplicates'"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type 'allow-duplicates'"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type tt-policy-name 'allow-duplicates'"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type tt-policy-name 'allow-duplicates'"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type 'none' 'allow-duplicates'"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type 'none' 'allow-duplicates'"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type 'none' tt-policy-name"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type 'none' tt-policy-name"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type 'none' *"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type 'none' *"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type tt-policy-name *"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type tt-policy-name *"]
    expected: FAIL

-  [single enforce policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"]
-    expected: FAIL
-
  [single report-only policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"]
    expected: FAIL
-
-  [Single enforce policy with directive "trusted-type none"]
-    expected: FAIL
-
-  [Single enforce policy with directive "trusted-type allow-duplicates"]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-duplicate-names-list.html.ini
@ -1,3 +0,0 @@
-[trusted-types-duplicate-names-list.html]
-  [TrustedTypePolicyFactory and policy list in CSP.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.html.ini
@ -1,4 +1,5 @@
 [trusted-types-reporting-clipping-of-sample.html]
+  expected: CRASH
  [Clipping of violation sample for createPolicy(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-clipping-of-sample.tentative.html.ini
@ -1,4 +1,5 @@
 [trusted-types-reporting-clipping-of-sample.tentative.html]
+  expected: CRASH
  [Clipping of violation sample for createPolicy(𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆𝐆)]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini
@ -1,6 +1,3 @@
 [trusted-types-sandbox-allow-scripts.html]
-  [window.trustedTypes.createPolicy() in a sandboxed page with allow-scripts.]
-    expected: FAIL
-
  [Default Trusted Types policy in a sandboxed page with allow-scripts.]
    expected: FAIL