Update FetchTaskTarget to propagate CSP violations. (#36409)

It also updates the FetchResponseListener to process CSP violations to ensure that iframe elements (amongst others) properly generate the CSP events. These iframe elements are used in the Trusted Types tests themselves and weren't propagating the violations before. However, the tests themselves are still not passing since they also use Websockets, which currently aren't using the fetch machinery itself. That is fixed as part of [1]. [1]: https://github.com/servo/servo/issues/35028 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Josh Matthews <josh@joshmatthews.net> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-07-22 23:03:42 +01:00 · 2025-04-13 22:54:59 +02:00 · 2025-04-13 22:54:59 +02:00 · 85e4a2b5c7
commit 85e4a2b5c7
parent 5d84acc06e
146 changed files with 511 additions and 612 deletions
--- a/components/script/fetch.rs
+++ b/components/script/fetch.rs
@ -6,8 +6,9 @@ use std::rc::Rc;
 use std::sync::{Arc, Mutex};

 use base::id::WebViewId;
+use content_security_policy as csp;
 use ipc_channel::ipc;
-use net_traits::policy_container::RequestPolicyContainer;
+use net_traits::policy_container::{PolicyContainer, RequestPolicyContainer};
 use net_traits::request::{
    CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, Referrer,
    Request as NetTraitsRequest, RequestBuilder, RequestId, RequestMode, ServiceWorkersMode,
@ -309,6 +310,11 @@ impl FetchResponseListener for FetchContext {
            network_listener::submit_timing(self, CanGc::note())
        }
    }
+
+    fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) {
+        let global = &self.resource_timing_global();
+        global.report_csp_violations(violations);
+    }
 }

 impl ResourceTimingListener for FetchContext {
@ -352,8 +358,9 @@ pub(crate) fn load_whole_resource(
    let mut metadata = None;
    loop {
        match action_receiver.recv().unwrap() {
-            FetchResponseMsg::ProcessRequestBody(..) | FetchResponseMsg::ProcessRequestEOF(..) => {
-            },
+            FetchResponseMsg::ProcessRequestBody(..) |
+            FetchResponseMsg::ProcessRequestEOF(..) |
+            FetchResponseMsg::ProcessCspViolations(..) => {},
            FetchResponseMsg::ProcessResponse(_, Ok(m)) => {
                metadata = Some(match m {
                    FetchMetadata::Unfiltered(m) => m,
@ -385,6 +392,7 @@ pub(crate) fn create_a_potential_cors_request(
    referrer: Referrer,
    insecure_requests_policy: InsecureRequestsPolicy,
    has_trustworthy_ancestor_origin: bool,
+    policy_container: PolicyContainer,
 ) -> RequestBuilder {
    RequestBuilder::new(webview_id, url, referrer)
        // https://html.spec.whatwg.org/multipage/#create-a-potential-cors-request
@ -405,4 +413,5 @@ pub(crate) fn create_a_potential_cors_request(
        .use_url_credentials(true)
        .insecure_requests_policy(insecure_requests_policy)
        .has_trustworthy_ancestor_origin(has_trustworthy_ancestor_origin)
+        .policy_container(policy_container)
 }