Disallow invalid trusted type policy names (#38886)

Actual fix is in the CSP crate. Part of #36258 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-09-23 05:10:09 +01:00 · 2025-08-28 19:49:33 +02:00 · 2025-08-28 19:49:33 +02:00 · 6205c07114
commit 6205c07114
parent 908c392219
4 changed files with 18 additions and 29 deletions
--- a/components/script/dom/csp.rs
+++ b/components/script/dom/csp.rs
@ -51,8 +51,8 @@ pub(crate) trait CspReporting {
    fn is_trusted_type_policy_creation_allowed(
        &self,
        global: &GlobalScope,
-        policy_name: String,
-        created_policy_names: Vec<String>,
+        policy_name: &str,
+        created_policy_names: &[&str],
    ) -> bool;
    fn does_sink_type_require_trusted_types(
        &self,
@ -173,8 +173,8 @@ impl CspReporting for Option<CspList> {
    fn is_trusted_type_policy_creation_allowed(
        &self,
        global: &GlobalScope,
-        policy_name: String,
-        created_policy_names: Vec<String>,
+        policy_name: &str,
+        created_policy_names: &[&str],
    ) -> bool {
        let Some(csp_list) = self else {
            return true;
--- a/components/script/dom/trustedtypepolicyfactory.rs
+++ b/components/script/dom/trustedtypepolicyfactory.rs
@ -71,19 +71,20 @@ impl TrustedTypePolicyFactory {
        global: &GlobalScope,
        can_gc: CanGc,
    ) -> Fallible<DomRoot<TrustedTypePolicy>> {
-        // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
-        // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
-        let allowed_by_csp = global
-            .get_csp_list()
-            .is_trusted_type_policy_creation_allowed(
-                global,
-                policy_name.clone(),
-                self.policy_names.borrow().clone(),
-            );
+        // Avoid double borrow on policy_names
+        {
+            // Step 1: Let allowedByCSP be the result of executing Should Trusted Type policy creation be blocked by
+            // Content Security Policy? algorithm with global, policyName and factory’s created policy names value.
+            let policy_names = self.policy_names.borrow();
+            let policy_names: Vec<&str> = policy_names.iter().map(String::as_ref).collect();
+            let allowed_by_csp = global
+                .get_csp_list()
+                .is_trusted_type_policy_creation_allowed(global, &policy_name, &policy_names);

-        // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
-        if !allowed_by_csp {
-            return Err(Error::Type("Not allowed by CSP".to_string()));
+            // Step 2: If allowedByCSP is "Blocked", throw a TypeError and abort further steps.
+            if !allowed_by_csp {
+                return Err(Error::Type("Not allowed by CSP".to_string()));
+            }
        }

        // Step 3: If policyName is default and the factory’s default policy value is not null, throw a TypeError