From 6205c07114b842fe110b217d941782544c6aaee8 Mon Sep 17 00:00:00 2001
From: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Date: Thu, 28 Aug 2025 19:49:33 +0200
Subject: [PATCH] Disallow invalid trusted type policy names (#38886)

Actual fix is in the CSP crate.

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
---
 Cargo.lock                                    |  2 +-
 components/script/dom/csp.rs                  |  8 +++---
 .../script/dom/trustedtypepolicyfactory.rs    | 25 ++++++++++---------
 ...cy-creation-be-blocked-by-csp-002.html.ini | 12 ---------
 4 files changed, 18 insertions(+), 29 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 84ca83732fd..cb135384084 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1630,7 +1630,7 @@ dependencies = [
 [[package]]
 name = "content-security-policy"
 version = "0.5.4"
-source = "git+https://github.com/servo/rust-content-security-policy?branch=servo-csp#cf67beb96db9244ab6956a4da61dbe83384d5cd7"
+source = "git+https://github.com/servo/rust-content-security-policy?branch=servo-csp#fc927dfefb1fdc052fa4fa18c2ca3c3f6b87047b"
 dependencies = [
  "base64 0.22.1",
  "bitflags 2.9.3",
diff --git a/components/script/dom/csp.rs b/components/script/dom/csp.rs
index 1fe2f83680c..8398950e0e9 100644
--- a/components/script/dom/csp.rs
+++ b/components/script/dom/csp.rs
@@ -51,8 +51,8 @@ pub(crate) trait CspReporting {
     fn is_trusted_type_policy_creation_allowed(
         &self,
         global: &GlobalScope,
-        policy_name: String,
-        created_policy_names: Vec<String>,
+        policy_name: &str,
+        created_policy_names: &[&str],
     ) -> bool;
     fn does_sink_type_require_trusted_types(
         &self,
@@ -173,8 +173,8 @@ impl CspReporting for Option<CspList> {
     fn is_trusted_type_policy_creation_allowed(
         &self,
         global: &GlobalScope,
-        policy_name: String,
-        created_policy_names: Vec<String>,
+        policy_name: &str,
+        created_policy_names: &[&str],
     ) -> bool {
         let Some(csp_list) = self else {
             return true;
diff --git a/components/script/dom/trustedtypepolicyfactory.rs b/components/script/dom/trustedtypepolicyfactory.rs
index 46c90f799a9..db7d77b3560 100644
--- a/components/script/dom/trustedtypepolicyfactory.rs
+++ b/components/script/dom/trustedtypepolicyfactory.rs
@@ -71,19 +71,20 @@ impl TrustedTypePolicyFactory {
         global: &GlobalScope,
         can_gc: CanGc,
     ) -> Fallible<DomRoot<TrustedTypePolicy>> {
-        // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
-        // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
-        let allowed_by_csp = global
-            .get_csp_list()
-            .is_trusted_type_policy_creation_allowed(
-                global,
-                policy_name.clone(),
-                self.policy_names.borrow().clone(),
-            );
+        // Avoid double borrow on policy_names
+        {
+            // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
+            // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
+            let policy_names = self.policy_names.borrow();
+            let policy_names: Vec<&str> = policy_names.iter().map(String::as_ref).collect();
+            let allowed_by_csp = global
+                .get_csp_list()
+                .is_trusted_type_policy_creation_allowed(global, &policy_name, &policy_names);
 
-        // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
-        if !allowed_by_csp {
-            return Err(Error::Type("Not allowed by CSP".to_string()));
+            // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
+            if !allowed_by_csp {
+                return Err(Error::Type("Not allowed by CSP".to_string()));
+            }
         }
 
         // Step 3: If policyName is default and the factory’s default policy value is not null, throw a TypeError
diff --git a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini
index 11b8c617d21..89684fc3264 100644
--- a/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini
+++ b/tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini
@@ -1,17 +1,5 @@
 [should-trusted-type-policy-creation-be-blocked-by-csp-002.html]
   expected: TIMEOUT
-  [invalid tt-policy-name name "policy*name"]
-    expected: FAIL
-
-  [invalid tt-policy-name name "policy$name"]
-    expected: FAIL
-
-  [invalid tt-policy-name name "policy?name"]
-    expected: FAIL
-
-  [invalid tt-policy-name name "policy!name"]
-    expected: FAIL
-
   [directive "trusted-type _TTP1_%09_TTP2_%0C_TTP3_%0D_TTP4_%20_TTP5_" (required-ascii-whitespace)]
     expected: TIMEOUT