Update FetchTaskTarget to propagate CSP violations. (#36409)

It also updates the FetchResponseListener to process CSP violations to ensure that iframe elements (amongst others) properly generate the CSP events. These iframe elements are used in the Trusted Types tests themselves and weren't propagating the violations before. However, the tests themselves are still not passing since they also use Websockets, which currently aren't using the fetch machinery itself. That is fixed as part of [1]. [1]: https://github.com/servo/servo/issues/35028 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Josh Matthews <josh@joshmatthews.net> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-08-06 06:00:15 +01:00 · 2025-04-13 22:54:59 +02:00 · 2025-04-13 22:54:59 +02:00 · 85e4a2b5c7
commit 85e4a2b5c7
parent 5d84acc06e
146 changed files with 511 additions and 612 deletions
--- a/components/fonts/font_context.rs
+++ b/components/fonts/font_context.rs
@ -900,9 +900,9 @@ impl RemoteWebFontDownloader {
        response_message: FetchResponseMsg,
    ) -> DownloaderResponseResult {
        match response_message {
-            FetchResponseMsg::ProcessRequestBody(..) | FetchResponseMsg::ProcessRequestEOF(..) => {
-                DownloaderResponseResult::InProcess
-            },
+            FetchResponseMsg::ProcessRequestBody(..) |
+            FetchResponseMsg::ProcessRequestEOF(..) |
+            FetchResponseMsg::ProcessCspViolations(..) => DownloaderResponseResult::InProcess,
            FetchResponseMsg::ProcessResponse(_, meta_result) => {
                trace!(
                    "@font-face {} metadata ok={:?}",
--- a/components/net/fetch/methods.rs
+++ b/components/net/fetch/methods.rs
@ -173,9 +173,9 @@ pub async fn fetch_with_cors_cache(
 pub fn should_request_be_blocked_by_csp(
    request: &Request,
    policy_container: &PolicyContainer,
-) -> csp::CheckResult {
+) -> (csp::CheckResult, Vec<csp::Violation>) {
    let origin = match &request.origin {
-        Origin::Client => return csp::CheckResult::Allowed,
+        Origin::Client => return (csp::CheckResult::Allowed, Vec::new()),
        Origin::Origin(origin) => origin,
    };

@ -190,12 +190,11 @@ pub fn should_request_be_blocked_by_csp(
        parser_metadata: csp::ParserMetadata::None,
    };

-    // TODO: Instead of ignoring violations, report them.
    policy_container
        .csp_list
        .as_ref()
-        .map(|c| c.should_request_be_blocked(&csp_request).0)
-        .unwrap_or(csp::CheckResult::Allowed)
+        .map(|c| c.should_request_be_blocked(&csp_request))
+        .unwrap_or((csp::CheckResult::Allowed, Vec::new()))
 }

 /// [Main fetch](https://fetch.spec.whatwg.org/#concept-main-fetch)
@ -278,7 +277,13 @@ pub async fn main_fetch(
    // Step 7. If should request be blocked due to a bad port, should fetching request be blocked
    // as mixed content, or should request be blocked by Content Security Policy returns blocked,
    // then set response to a network error.
-    if should_request_be_blocked_by_csp(request, &policy_container) == csp::CheckResult::Blocked {
+    let (check_result, violations) = should_request_be_blocked_by_csp(request, &policy_container);
+
+    if !violations.is_empty() {
+        target.process_csp_violations(request, violations);
+    }
+
+    if check_result == csp::CheckResult::Blocked {
        warn!("Request blocked by CSP");
        response = Some(Response::network_error(NetworkError::Internal(
            "Blocked by Content-Security-Policy".into(),
--- a/components/net/image_cache.rs
+++ b/components/net/image_cache.rs
@ -546,7 +546,8 @@ impl ImageCache for ImageCacheImpl {
    fn notify_pending_response(&self, id: PendingImageId, action: FetchResponseMsg) {
        match (action, id) {
            (FetchResponseMsg::ProcessRequestBody(..), _) |
-            (FetchResponseMsg::ProcessRequestEOF(..), _) => (),
+            (FetchResponseMsg::ProcessRequestEOF(..), _) |
+            (FetchResponseMsg::ProcessCspViolations(..), _) => (),
            (FetchResponseMsg::ProcessResponse(_, response), _) => {
                debug!("Received {:?} for {:?}", response.as_ref().map(|_| ()), id);
                let mut store = self.store.lock().unwrap();
--- a/components/net/tests/fetch.rs
+++ b/components/net/tests/fetch.rs
@ -12,6 +12,7 @@ use std::sync::{Arc, Mutex, Weak};
 use std::time::{Duration, SystemTime};

 use base::id::TEST_PIPELINE_ID;
+use content_security_policy as csp;
 use crossbeam_channel::{Sender, unbounded};
 use devtools_traits::{HttpRequest as DevtoolsHttpRequest, HttpResponse as DevtoolsHttpResponse};
 use headers::{
@ -163,6 +164,7 @@ fn test_fetch_blob() {
            assert_eq!(self.buffer, self.expected);
            let _ = self.sender.send(response.clone());
        }
+        fn process_csp_violations(&mut self, _: &Request, _: Vec<csp::Violation>) {}
    }

    let context = new_fetch_context(None, None, None);
--- a/components/net/tests/http_loader.rs
+++ b/components/net/tests/http_loader.rs
@ -11,6 +11,7 @@ use std::sync::{Arc, Mutex, RwLock};
 use std::time::Duration;

 use base::id::{TEST_PIPELINE_ID, TEST_WEBVIEW_ID};
+use content_security_policy as csp;
 use cookie::Cookie as CookiePair;
 use crossbeam_channel::{Receiver, unbounded};
 use devtools_traits::{
@ -1537,6 +1538,7 @@ fn test_fetch_compressed_response_update_count() {
        fn process_response_eof(&mut self, _: &Request, _: &Response) {
            let _ = self.sender.take().unwrap().send(self.update_count);
        }
+        fn process_csp_violations(&mut self, _: &Request, _: Vec<csp::Violation>) {}
    }

    let (sender, receiver) = tokio::sync::oneshot::channel();
--- a/components/net/tests/main.rs
+++ b/components/net/tests/main.rs
@ -26,6 +26,7 @@ use std::net::TcpListener as StdTcpListener;
 use std::path::{Path, PathBuf};
 use std::sync::{Arc, LazyLock, Mutex, RwLock, Weak};

+use content_security_policy as csp;
 use crossbeam_channel::{Receiver, Sender, unbounded};
 use devtools_traits::DevtoolsControlMsg;
 use embedder_traits::{AuthenticationResponse, EmbedderMsg, EmbedderProxy, EventLoopWaker};
@ -196,6 +197,7 @@ impl FetchTaskTarget for FetchResponseCollector {
    fn process_response_eof(&mut self, _: &Request, response: &Response) {
        let _ = self.sender.take().unwrap().send(response.clone());
    }
+    fn process_csp_violations(&mut self, _: &Request, _: Vec<csp::Violation>) {}
 }

 fn fetch(request: Request, dc: Option<Sender<DevtoolsControlMsg>>) -> Response {
--- a/components/net/websocket_loader.rs
+++ b/components/net/websocket_loader.rs
@ -11,19 +11,22 @@
 //! over events from the network and events from the DOM, using async/await to avoid
 //! the need for a dedicated thread per websocket.

+use std::mem;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, Ordering};

 use async_tungstenite::WebSocketStream;
 use async_tungstenite::tokio::{ConnectStream, client_async_tls_with_connector_and_config};
 use base64::Engine;
+use content_security_policy as csp;
 use futures::future::TryFutureExt;
 use futures::stream::StreamExt;
 use http::header::{self, HeaderName, HeaderValue};
 use ipc_channel::ipc::{IpcReceiver, IpcSender};
 use ipc_channel::router::ROUTER;
 use log::{debug, trace, warn};
-use net_traits::request::{RequestBuilder, RequestMode};
+use net_traits::policy_container::{PolicyContainer, RequestPolicyContainer};
+use net_traits::request::{Origin, RequestBuilder, RequestMode};
 use net_traits::{CookieSource, MessageData, WebSocketDomAction, WebSocketNetworkEvent};
 use servo_url::ServoUrl;
 use tokio::net::TcpStream;
@ -39,7 +42,9 @@ use url::Url;
 use crate::async_runtime::HANDLE;
 use crate::connector::{CACertificates, TlsConfig, create_tls_config};
 use crate::cookie::ServoCookie;
-use crate::fetch::methods::should_request_be_blocked_due_to_a_bad_port;
+use crate::fetch::methods::{
+    should_request_be_blocked_by_csp, should_request_be_blocked_due_to_a_bad_port,
+};
 use crate::hosts::replace_host;
 use crate::http_loader::HttpState;
 /// Create a tungstenite Request object for the initial HTTP request.
@ -353,7 +358,7 @@ fn connect(
    ignore_certificate_errors: bool,
 ) -> Result<(), String> {
    let protocols = match req_builder.mode {
-        RequestMode::WebSocket { protocols } => protocols,
+        RequestMode::WebSocket { ref mut protocols } => mem::take(protocols),
        _ => {
            return Err(
                "Received a RequestBuilder with a non-websocket mode in websocket_loader"
@ -368,16 +373,36 @@ fn connect(
        .read()
        .unwrap()
        .apply_hsts_rules(&mut req_builder.url);
+    let request = req_builder.build();

-    let req_url = req_builder.url.clone();
+    let req_url = request.url();
+    let req_origin = match request.origin {
+        Origin::Client => unreachable!(),
+        Origin::Origin(ref origin) => origin,
+    };

    if should_request_be_blocked_due_to_a_bad_port(&req_url) {
        return Err("Port blocked".to_string());
    }

+    let policy_container = match &request.policy_container {
+        RequestPolicyContainer::Client => PolicyContainer::default(),
+        RequestPolicyContainer::PolicyContainer(container) => container.to_owned(),
+    };
+
+    let (check_result, violations) = should_request_be_blocked_by_csp(&request, &policy_container);
+
+    if !violations.is_empty() {
+        let _ = resource_event_sender.send(WebSocketNetworkEvent::ReportCSPViolations(violations));
+    }
+
+    if check_result == csp::CheckResult::Blocked {
+        return Err("Blocked by Content-Security-Policy".to_string());
+    }
+
    let client = match create_request(
        &req_url,
-        &req_builder.origin.ascii_serialization(),
+        &req_origin.ascii_serialization(),
        &protocols,
        &http_state,
    ) {
@ -397,7 +422,7 @@ fn connect(
        Some(handle) => handle.spawn(
            start_websocket(
                http_state,
-                req_builder.url.clone(),
+                req_url.clone(),
                resource_event_sender,
                protocols,
                client,
--- a/components/script/dom/dedicatedworkerglobalscope.rs
+++ b/components/script/dom/dedicatedworkerglobalscope.rs
@ -18,6 +18,7 @@ use js::jsval::UndefinedValue;
 use js::rust::{CustomAutoRooter, CustomAutoRooterGuard, HandleValue};
 use net_traits::IpcSend;
 use net_traits::image_cache::ImageCache;
+use net_traits::policy_container::PolicyContainer;
 use net_traits::request::{
    CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata, Referrer, RequestBuilder,
    RequestMode,
@ -347,6 +348,7 @@ impl DedicatedWorkerGlobalScope {
        control_receiver: Receiver<DedicatedWorkerControlMsg>,
        context_sender: Sender<ThreadSafeJSContext>,
        insecure_requests_policy: InsecureRequestsPolicy,
+        policy_container: PolicyContainer,
    ) -> JoinHandle<()> {
        let serialized_worker_url = worker_url.to_string();
        let webview_id = WebViewId::installed();
@ -388,6 +390,7 @@ impl DedicatedWorkerGlobalScope {
                    .referrer_policy(referrer_policy)
                    .insecure_requests_policy(insecure_requests_policy)
                    .has_trustworthy_ancestor_origin(current_global_ancestor_trustworthy)
+                    .policy_container(policy_container)
                    .origin(origin);

                let runtime = unsafe {
--- a/components/script/dom/eventsource.rs
+++ b/components/script/dom/eventsource.rs
@ -8,6 +8,7 @@ use std::str::{Chars, FromStr};
 use std::sync::{Arc, Mutex};
 use std::time::Duration;

+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use headers::ContentType;
 use http::header::{self, HeaderName, HeaderValue};
@ -431,6 +432,11 @@ impl FetchResponseListener for EventSourceContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for EventSourceContext {
@ -562,6 +568,7 @@ impl EventSourceMethods<crate::DomTypeHolder> for EventSource {
            global.get_referrer(),
            global.insecure_requests_policy(),
            global.has_trustworthy_ancestor_or_current_origin(),
+            global.policy_container(),
        )
        .origin(global.origin().immutable().clone())
        .pipeline_id(Some(global.pipeline_id()));
--- a/components/script/dom/globalscope.rs
+++ b/components/script/dom/globalscope.rs
@ -21,7 +21,9 @@ use constellation_traits::{
    BlobData, BlobImpl, BroadcastMsg, FileBlob, MessagePortImpl, MessagePortMsg, PortMessageTask,
    ScriptToConstellationChan, ScriptToConstellationMessage,
 };
-use content_security_policy::{CheckResult, CspList, PolicyDisposition};
+use content_security_policy::{
+    CheckResult, CspList, PolicyDisposition, Violation, ViolationResource,
+};
 use crossbeam_channel::Sender;
 use devtools_traits::{PageError, ScriptToDevtoolsControlMsg};
 use dom_struct::dom_struct;
@ -3310,6 +3312,24 @@ impl GlobalScope {
        }
        unreachable!();
    }
+
+    pub(crate) fn report_csp_violations(&self, violations: Vec<Violation>) {
+        for violation in violations {
+            let sample = match violation.resource {
+                ViolationResource::Inline { .. } | ViolationResource::Url(_) => None,
+                ViolationResource::TrustedTypePolicy { sample } => Some(sample),
+            };
+            let report = CSPViolationReportBuilder::default()
+                .resource("eval".to_owned())
+                .sample(sample)
+                .effective_directive(violation.directive.name)
+                .build(self);
+            let task = CSPViolationReportTask::new(self, report);
+            self.task_manager()
+                .dom_manipulation_task_source()
+                .queue(task);
+        }
+    }
 }

 /// Returns the Rust global scope from a JS global object.
--- a/components/script/dom/htmlimageelement.rs
+++ b/components/script/dom/htmlimageelement.rs
@ -10,6 +10,7 @@ use std::sync::Arc;
 use std::{char, mem};

 use app_units::{AU_PER_PX, Au};
+use content_security_policy as csp;
 use cssparser::{Parser, ParserInput};
 use dom_struct::dom_struct;
 use euclid::Point2D;
@ -294,6 +295,11 @@ impl FetchResponseListener for ImageContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for ImageContext {
@ -416,15 +422,17 @@ impl HTMLImageElement {

        // https://html.spec.whatwg.org/multipage/#update-the-image-data steps 17-20
        // This function is also used to prefetch an image in `script::dom::servoparser::prefetch`.
+        let global = document.global();
        let mut request = create_a_potential_cors_request(
            Some(window.webview_id()),
            img_url.clone(),
            Destination::Image,
            cors_setting_for_element(self.upcast()),
            None,
-            document.global().get_referrer(),
+            global.get_referrer(),
            document.insecure_requests_policy(),
            document.has_trustworthy_ancestor_or_current_origin(),
+            global.policy_container(),
        )
        .origin(document.origin().immutable().clone())
        .pipeline_id(Some(document.global().pipeline_id()))
--- a/components/script/dom/htmllinkelement.rs
+++ b/components/script/dom/htmllinkelement.rs
@ -7,6 +7,7 @@ use std::cell::Cell;
 use std::default::Default;

 use base::id::WebViewId;
+use content_security_policy as csp;
 use cssparser::{Parser as CssParser, ParserInput};
 use dom_struct::dom_struct;
 use embedder_traits::EmbedderMsg;
@ -706,9 +707,9 @@ impl LinkProcessingOptions {
            Referrer::NoReferrer,
            self.insecure_requests_policy,
            self.has_trustworthy_ancestor_origin,
+            self.policy_container,
        )
        .integrity_metadata(self.integrity)
-        .policy_container(self.policy_container)
        .cryptographic_nonce_metadata(self.cryptographic_nonce_metadata)
        .referrer_policy(self.referrer_policy);

@ -788,6 +789,11 @@ impl FetchResponseListener for PrefetchContext {
    fn submit_resource_timing(&mut self) {
        submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for PrefetchContext {
--- a/components/script/dom/htmlmediaelement.rs
+++ b/components/script/dom/htmlmediaelement.rs
@ -10,6 +10,7 @@ use std::time::{Duration, Instant};
 use std::{f64, mem};

 use compositing_traits::{CrossProcessCompositorApi, ImageUpdate, SerializableImageData};
+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use embedder_traits::resources::{self, Resource as EmbedderResource};
 use embedder_traits::{MediaPositionState, MediaSessionEvent, MediaSessionPlaybackState};
@ -892,15 +893,17 @@ impl HTMLMediaElement {
        };

        let cors_setting = cors_setting_for_element(self.upcast());
+        let global = self.global();
        let request = create_a_potential_cors_request(
            Some(document.webview_id()),
            url.clone(),
            destination,
            cors_setting,
            None,
-            self.global().get_referrer(),
+            global.get_referrer(),
            document.insecure_requests_policy(),
            document.has_trustworthy_ancestor_or_current_origin(),
+            global.policy_container(),
        )
        .headers(headers)
        .origin(document.origin().immutable().clone())
@ -2903,6 +2906,11 @@ impl FetchResponseListener for HTMLMediaElementFetchListener {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for HTMLMediaElementFetchListener {
--- a/components/script/dom/htmlscriptelement.rs
+++ b/components/script/dom/htmlscriptelement.rs
@ -21,6 +21,7 @@ use ipc_channel::ipc;
 use js::jsval::UndefinedValue;
 use js::rust::{CompileOptionsWrapper, HandleObject, Stencil, transform_str_to_source_text};
 use net_traits::http_status::HttpStatus;
+use net_traits::policy_container::PolicyContainer;
 use net_traits::request::{
    CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata,
    RequestBuilder, RequestId,
@ -536,6 +537,11 @@ impl FetchResponseListener for ClassicContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for ClassicContext {
@ -569,6 +575,7 @@ pub(crate) fn script_fetch_request(
    options: ScriptFetchOptions,
    insecure_requests_policy: InsecureRequestsPolicy,
    has_trustworthy_ancestor_origin: bool,
+    policy_container: PolicyContainer,
 ) -> RequestBuilder {
    // We intentionally ignore options' credentials_mode member for classic scripts.
    // The mode is initialized by create_a_potential_cors_request.
@ -581,6 +588,7 @@ pub(crate) fn script_fetch_request(
        options.referrer,
        insecure_requests_policy,
        has_trustworthy_ancestor_origin,
+        policy_container,
    )
    .origin(origin)
    .pipeline_id(Some(pipeline_id))
@ -601,15 +609,17 @@ fn fetch_a_classic_script(
 ) {
    // Step 1, 2.
    let doc = script.owner_document();
+    let global = script.global();
    let request = script_fetch_request(
        doc.webview_id(),
        url.clone(),
        cors_setting,
        doc.origin().immutable().clone(),
-        script.global().pipeline_id(),
+        global.pipeline_id(),
        options.clone(),
        doc.insecure_requests_policy(),
        doc.has_trustworthy_ancestor_origin(),
+        global.policy_container(),
    );
    let request = doc.prepare_request(request);

--- a/components/script/dom/htmlvideoelement.rs
+++ b/components/script/dom/htmlvideoelement.rs
@ -5,6 +5,7 @@
 use std::cell::Cell;
 use std::sync::Arc;

+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use euclid::default::Size2D;
 use html5ever::{LocalName, Prefix, local_name, namespace_url, ns};
@ -416,6 +417,11 @@ impl FetchResponseListener for PosterFrameFetchContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for PosterFrameFetchContext {
--- a/components/script/dom/notification.rs
+++ b/components/script/dom/notification.rs
@ -7,6 +7,7 @@ use std::rc::Rc;
 use std::sync::{Arc, Mutex};
 use std::time::{SystemTime, UNIX_EPOCH};

+use content_security_policy as csp;
 use content_security_policy::Destination;
 use dom_struct::dom_struct;
 use embedder_traits::{
@ -791,6 +792,11 @@ impl FetchResponseListener for ResourceFetchListener {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for ResourceFetchListener {
@ -821,6 +827,7 @@ impl Notification {
            global.get_referrer(),
            global.insecure_requests_policy(),
            global.has_trustworthy_ancestor_or_current_origin(),
+            global.policy_container(),
        )
        .origin(global.origin().immutable().clone())
        .pipeline_id(Some(global.pipeline_id()))
--- a/components/script/dom/servoparser/mod.rs
+++ b/components/script/dom/servoparser/mod.rs
@ -1068,6 +1068,16 @@ impl FetchResponseListener for ParserContext {
            CanGc::note(),
        );
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let parser = match self.parser.as_ref() {
+            Some(parser) => parser.root(),
+            None => return,
+        };
+        let document = &parser.document;
+        let global = &document.global();
+        global.report_csp_violations(violations);
+    }
 }

 impl PreInvoke for ParserContext {}
--- a/components/script/dom/servoparser/prefetch.rs
+++ b/components/script/dom/servoparser/prefetch.rs
@ -15,6 +15,7 @@ use html5ever::tokenizer::{
 use html5ever::{Attribute, LocalName, local_name};
 use js::jsapi::JSTracer;
 use markup5ever::TokenizerResult;
+use net_traits::policy_container::PolicyContainer;
 use net_traits::request::{
    CorsSettings, CredentialsMode, InsecureRequestsPolicy, ParserMetadata, Referrer,
 };
@ -60,13 +61,14 @@ unsafe impl CustomTraceable for PrefetchSink {

 impl Tokenizer {
    pub(crate) fn new(document: &Document) -> Self {
+        let global = document.global();
        let sink = PrefetchSink {
            origin: document.origin().immutable().clone(),
-            pipeline_id: document.global().pipeline_id(),
+            pipeline_id: global.pipeline_id(),
            webview_id: document.webview_id(),
            base_url: RefCell::new(None),
            document_url: document.url(),
-            referrer: document.global().get_referrer(),
+            referrer: global.get_referrer(),
            referrer_policy: document.get_referrer_policy(),
            resource_threads: document.loader().resource_threads().clone(),
            // Initially we set prefetching to false, and only set it
@ -75,6 +77,7 @@ impl Tokenizer {
            prefetching: Cell::new(false),
            insecure_requests_policy: document.insecure_requests_policy(),
            has_trustworthy_ancestor_origin: document.has_trustworthy_ancestor_or_current_origin(),
+            policy_container: global.policy_container(),
        };
        let options = Default::default();
        let inner = TraceableTokenizer(HtmlTokenizer::new(sink, options));
@ -108,6 +111,8 @@ struct PrefetchSink {
    #[no_trace]
    insecure_requests_policy: InsecureRequestsPolicy,
    has_trustworthy_ancestor_origin: bool,
+    #[no_trace]
+    policy_container: PolicyContainer,
 }

 /// The prefetch tokenizer produces trivial results
@ -150,6 +155,7 @@ impl TokenSink for PrefetchSink {
                        },
                        self.insecure_requests_policy,
                        self.has_trustworthy_ancestor_origin,
+                        self.policy_container.clone(),
                    );
                    let _ = self
                        .resource_threads
@ -169,6 +175,7 @@ impl TokenSink for PrefetchSink {
                        self.referrer.clone(),
                        self.insecure_requests_policy,
                        self.has_trustworthy_ancestor_origin,
+                        self.policy_container.clone(),
                    )
                    .origin(self.origin.clone())
                    .pipeline_id(Some(self.pipeline_id))
@ -204,6 +211,7 @@ impl TokenSink for PrefetchSink {
                                self.referrer.clone(),
                                self.insecure_requests_policy,
                                self.has_trustworthy_ancestor_origin,
+                                self.policy_container.clone(),
                            )
                            .origin(self.origin.clone())
                            .pipeline_id(Some(self.pipeline_id))
--- a/components/script/dom/websocket.rs
+++ b/components/script/dom/websocket.rs
@ -7,6 +7,7 @@ use std::cell::Cell;
 use std::ptr;

 use constellation_traits::BlobImpl;
+use content_security_policy::Violation;
 use dom_struct::dom_struct;
 use ipc_channel::ipc::{self, IpcReceiver, IpcSender};
 use ipc_channel::router::ROUTER;
@ -266,6 +267,7 @@ impl WebSocketMethods<crate::DomTypeHolder> for WebSocket {
            .service_workers_mode(ServiceWorkersMode::None)
            .credentials_mode(CredentialsMode::Include)
            .cache_mode(CacheMode::NoCache)
+            .policy_container(global.policy_container())
            .redirect_mode(RedirectMode::Error);

        let channels = FetchChannels::WebSocket {
@ -280,6 +282,13 @@ impl WebSocketMethods<crate::DomTypeHolder> for WebSocket {
        ROUTER.add_typed_route(
            dom_event_receiver.to_ipc_receiver(),
            Box::new(move |message| match message.unwrap() {
+                WebSocketNetworkEvent::ReportCSPViolations(violations) => {
+                    let task = ReportCSPViolationTask {
+                        websocket: address.clone(),
+                        violations,
+                    };
+                    task_source.queue(task);
+                },
                WebSocketNetworkEvent::ConnectionEstablished { protocol_in_use } => {
                    let open_thread = ConnectionEstablishedTask {
                        address: address.clone(),
@ -454,6 +463,18 @@ impl WebSocketMethods<crate::DomTypeHolder> for WebSocket {
    }
 }

+struct ReportCSPViolationTask {
+    websocket: Trusted<WebSocket>,
+    violations: Vec<Violation>,
+}
+
+impl TaskOnce for ReportCSPViolationTask {
+    fn run_once(self) {
+        let global = self.websocket.root().global();
+        global.report_csp_violations(self.violations);
+    }
+}
+
 /// Task queued when *the WebSocket connection is established*.
 /// <https://html.spec.whatwg.org/multipage/#feedback-from-the-protocol:concept-websocket-established>
 struct ConnectionEstablishedTask {
--- a/components/script/dom/worker.rs
+++ b/components/script/dom/worker.rs
@ -243,6 +243,7 @@ impl WorkerMethods<crate::DomTypeHolder> for Worker {
            control_receiver,
            context_sender,
            global.insecure_requests_policy(),
+            global.policy_container(),
        );

        let context = context_receiver
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@ -11,6 +11,7 @@ use std::sync::{Arc, Mutex};
 use std::time::{Duration, Instant};

 use constellation_traits::BlobImpl;
+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use encoding_rs::{Encoding, UTF_8};
 use headers::{ContentLength, ContentType, HeaderMapExt};
@ -143,6 +144,11 @@ impl FetchResponseListener for XHRContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for XHRContext {
@ -671,8 +677,9 @@ impl XMLHttpRequestMethods<crate::DomTypeHolder> for XMLHttpRequest {
            None => None,
        };

+        let global = self.global();
        let mut request = RequestBuilder::new(
-            self.global().webview_id(),
+            global.webview_id(),
            self.request_url.borrow().clone().unwrap(),
            self.referrer.clone(),
        )
@ -686,11 +693,12 @@ impl XMLHttpRequestMethods<crate::DomTypeHolder> for XMLHttpRequest {
        .use_cors_preflight(self.upload_listener.get())
        .credentials_mode(credentials_mode)
        .use_url_credentials(use_url_credentials)
-        .origin(self.global().origin().immutable().clone())
+        .origin(global.origin().immutable().clone())
        .referrer_policy(self.referrer_policy)
-        .insecure_requests_policy(self.global().insecure_requests_policy())
-        .has_trustworthy_ancestor_origin(self.global().has_trustworthy_ancestor_or_current_origin())
-        .pipeline_id(Some(self.global().pipeline_id()));
+        .insecure_requests_policy(global.insecure_requests_policy())
+        .has_trustworthy_ancestor_origin(global.has_trustworthy_ancestor_or_current_origin())
+        .policy_container(global.policy_container())
+        .pipeline_id(Some(global.pipeline_id()));

        // step 4 (second half)
        if let Some(content_type) = content_type {
--- a/components/script/fetch.rs
+++ b/components/script/fetch.rs
@ -6,8 +6,9 @@ use std::rc::Rc;
 use std::sync::{Arc, Mutex};

 use base::id::WebViewId;
+use content_security_policy as csp;
 use ipc_channel::ipc;
-use net_traits::policy_container::RequestPolicyContainer;
+use net_traits::policy_container::{PolicyContainer, RequestPolicyContainer};
 use net_traits::request::{
    CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, Referrer,
    Request as NetTraitsRequest, RequestBuilder, RequestId, RequestMode, ServiceWorkersMode,
@ -309,6 +310,11 @@ impl FetchResponseListener for FetchContext {
            network_listener::submit_timing(self, CanGc::note())
        }
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for FetchContext {
@ -352,8 +358,9 @@ pub(crate) fn load_whole_resource(
    let mut metadata = None;
    loop {
        match action_receiver.recv().unwrap() {
-            FetchResponseMsg::ProcessRequestBody(..) | FetchResponseMsg::ProcessRequestEOF(..) => {
-            },
+            FetchResponseMsg::ProcessRequestBody(..) |
+            FetchResponseMsg::ProcessRequestEOF(..) |
+            FetchResponseMsg::ProcessCspViolations(..) => {},
            FetchResponseMsg::ProcessResponse(_, Ok(m)) => {
                metadata = Some(match m {
                    FetchMetadata::Unfiltered(m) => m,
@ -385,6 +392,7 @@ pub(crate) fn create_a_potential_cors_request(
    referrer: Referrer,
    insecure_requests_policy: InsecureRequestsPolicy,
    has_trustworthy_ancestor_origin: bool,
+    policy_container: PolicyContainer,
 ) -> RequestBuilder {
    RequestBuilder::new(webview_id, url, referrer)
        // https://html.spec.whatwg.org/multipage/#create-a-potential-cors-request
@ -405,4 +413,5 @@ pub(crate) fn create_a_potential_cors_request(
        .use_url_credentials(true)
        .insecure_requests_policy(insecure_requests_policy)
        .has_trustworthy_ancestor_origin(has_trustworthy_ancestor_origin)
+        .policy_container(policy_container)
 }
--- a/components/script/layout_image.rs
+++ b/components/script/layout_image.rs
@ -8,6 +8,7 @@

 use std::sync::Arc;

+use content_security_policy as csp;
 use net_traits::image_cache::{ImageCache, PendingImageId};
 use net_traits::request::{Destination, RequestBuilder as FetchRequestInit, RequestId};
 use net_traits::{
@ -77,6 +78,11 @@ impl FetchResponseListener for LayoutImageContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for LayoutImageContext {
--- a/components/script/script_module.rs
+++ b/components/script/script_module.rs
@ -11,6 +11,7 @@ use std::str::FromStr;
 use std::sync::{Arc, Mutex};
 use std::{mem, ptr};

+use content_security_policy as csp;
 use encoding_rs::UTF_8;
 use headers::{HeaderMapExt, ReferrerPolicy as ReferrerPolicyHeader};
 use html5ever::local_name;
@ -1273,6 +1274,11 @@ impl FetchResponseListener for ModuleContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for ModuleContext {
--- a/components/script/script_thread.rs
+++ b/components/script/script_thread.rs
@ -41,6 +41,7 @@ use constellation_traits::{
    JsEvalResult, LoadData, LoadOrigin, NavigationHistoryBehavior, ScriptToConstellationChan,
    ScriptToConstellationMessage, ScrollState, StructuredSerializedData, WindowSizeType,
 };
+use content_security_policy::{self as csp};
 use crossbeam_channel::unbounded;
 use devtools_traits::{
    CSSError, DevtoolScriptControlMsg, DevtoolsPageInfo, NavigationState,
@ -3420,8 +3421,11 @@ impl ScriptThread {
            FetchResponseMsg::ProcessResponseEOF(request_id, eof) => {
                self.handle_fetch_eof(pipeline_id, request_id, eof)
            },
-            FetchResponseMsg::ProcessRequestBody(..) => {},
-            FetchResponseMsg::ProcessRequestEOF(..) => {},
+            FetchResponseMsg::ProcessCspViolations(request_id, violations) => {
+                self.handle_csp_violations(pipeline_id, request_id, violations)
+            },
+            FetchResponseMsg::ProcessRequestBody(..) | FetchResponseMsg::ProcessRequestEOF(..) => {
+            },
        }
    }

@ -3477,6 +3481,12 @@ impl ScriptThread {
        }
    }

+    fn handle_csp_violations(&self, id: PipelineId, _: RequestId, violations: Vec<csp::Violation>) {
+        if let Some(global) = self.documents.borrow().find_global(id) {
+            global.report_csp_violations(violations);
+        }
+    }
+
    fn handle_navigation_redirect(&self, id: PipelineId, metadata: &Metadata) {
        // TODO(mrobinson): This tries to accomplish some steps from
        // <https://html.spec.whatwg.org/multipage/#process-a-navigate-fetch>, but it's
--- a/components/script/stylesheet_loader.rs
+++ b/components/script/stylesheet_loader.rs
@ -5,6 +5,7 @@
 use std::io::{Read, Seek, Write};
 use std::sync::atomic::AtomicBool;

+use content_security_policy as csp;
 use cssparser::SourceLocation;
 use encoding_rs::UTF_8;
 use mime::{self, Mime};
@ -282,6 +283,11 @@ impl FetchResponseListener for StylesheetContext {
    fn submit_resource_timing(&mut self) {
        network_listener::submit_timing(self, CanGc::note())
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for StylesheetContext {
@ -353,15 +359,17 @@ impl StylesheetLoader<'_> {
        }

        // https://html.spec.whatwg.org/multipage/#default-fetch-and-process-the-linked-resource
+        let global = self.elem.global();
        let request = create_a_potential_cors_request(
            Some(document.webview_id()),
            url.clone(),
            Destination::Style,
            cors_setting,
            None,
-            self.elem.global().get_referrer(),
+            global.get_referrer(),
            document.insecure_requests_policy(),
            document.has_trustworthy_ancestor_or_current_origin(),
+            global.policy_container(),
        )
        .origin(document.origin().immutable().clone())
        .pipeline_id(Some(self.elem.global().pipeline_id()))
--- a/components/shared/net/lib.rs
+++ b/components/shared/net/lib.rs
@ -11,6 +11,7 @@ use std::thread;

 use base::cross_process_instant::CrossProcessInstant;
 use base::id::HistoryStateId;
+use content_security_policy::{self as csp};
 use cookie::Cookie;
 use crossbeam_channel::{Receiver, Sender, unbounded};
 use headers::{ContentType, HeaderMapExt, ReferrerPolicy as ReferrerPolicyHeader};
@ -198,6 +199,7 @@ pub enum FetchResponseMsg {
    ProcessResponse(RequestId, Result<FetchMetadata, NetworkError>),
    ProcessResponseChunk(RequestId, Vec<u8>),
    ProcessResponseEOF(RequestId, Result<ResourceFetchTiming, NetworkError>),
+    ProcessCspViolations(RequestId, Vec<csp::Violation>),
 }

 impl FetchResponseMsg {
@ -207,7 +209,8 @@ impl FetchResponseMsg {
            FetchResponseMsg::ProcessRequestEOF(id) |
            FetchResponseMsg::ProcessResponse(id, ..) |
            FetchResponseMsg::ProcessResponseChunk(id, ..) |
-            FetchResponseMsg::ProcessResponseEOF(id, ..) => *id,
+            FetchResponseMsg::ProcessResponseEOF(id, ..) |
+            FetchResponseMsg::ProcessCspViolations(id, ..) => *id,
        }
    }
 }
@ -235,6 +238,8 @@ pub trait FetchTaskTarget {
    ///
    /// Fired when the response is fully fetched
    fn process_response_eof(&mut self, request: &Request, response: &Response);
+
+    fn process_csp_violations(&mut self, request: &Request, violations: Vec<csp::Violation>);
 }

 #[derive(Clone, Debug, Deserialize, Serialize)]
@ -282,6 +287,7 @@ pub trait FetchResponseListener {
    fn resource_timing(&self) -> &ResourceFetchTiming;
    fn resource_timing_mut(&mut self) -> &mut ResourceFetchTiming;
    fn submit_resource_timing(&mut self);
+    fn process_csp_violations(&mut self, request_id: RequestId, violations: Vec<csp::Violation>);
 }

 impl FetchTaskTarget for IpcSender<FetchResponseMsg> {
@ -313,6 +319,12 @@ impl FetchTaskTarget for IpcSender<FetchResponseMsg> {

        let _ = self.send(FetchResponseMsg::ProcessResponseEOF(request.id, payload));
    }
+
+    fn process_csp_violations(&mut self, request: &Request, violations: Vec<csp::Violation>) {
+        let _ = self.send(FetchResponseMsg::ProcessCspViolations(
+            request.id, violations,
+        ));
+    }
 }

 /// A fetch task that discards all data it's sent,
@ -326,6 +338,7 @@ impl FetchTaskTarget for DiscardFetch {
    fn process_response(&mut self, _: &Request, _: &Response) {}
    fn process_response_chunk(&mut self, _: &Request, _: Vec<u8>) {}
    fn process_response_eof(&mut self, _: &Request, _: &Response) {}
+    fn process_csp_violations(&mut self, _: &Request, _: Vec<csp::Violation>) {}
 }

 pub trait Action<Listener> {
@ -366,6 +379,9 @@ impl<T: FetchResponseListener> Action<T> for FetchResponseMsg {
                    Err(e) => listener.process_response_eof(request_id, Err(e)),
                }
            },
+            FetchResponseMsg::ProcessCspViolations(request_id, violations) => {
+                listener.process_csp_violations(request_id, violations)
+            },
        }
    }
 }
@ -455,6 +471,7 @@ pub enum WebSocketDomAction {

 #[derive(Debug, Deserialize, Serialize)]
 pub enum WebSocketNetworkEvent {
+    ReportCSPViolations(Vec<csp::Violation>),
    ConnectionEstablished { protocol_in_use: Option<String> },
    MessageReceived(MessageData),
    Close(Option<u16>, String),