Add simple implementation of content-security-policy on scripts / styles

This needs a lot more hooks before it'll actually be a good implementation, but for a start it can help get some feedback on if this is the right way to go about it. Part of servo/servo#4577
2025-08-05 05:30:08 +01:00 · 2019-09-28 19:42:40 +00:00 · 2019-09-28 19:42:40 +00:00 · b8f3e8bb2e
commit b8f3e8bb2e
parent 6d488f1be2
16 changed files with 175 additions and 41 deletions
--- a/components/script/dom/globalscope.rs
+++ b/components/script/dom/globalscope.rs
@ -38,6 +38,7 @@ use crate::task_source::websocket::WebsocketTaskSource;
 use crate::task_source::TaskSourceName;
 use crate::timers::{IsInterval, OneshotTimerCallback, OneshotTimerHandle};
 use crate::timers::{OneshotTimers, TimerCallback};
+use content_security_policy::CspList;
 use devtools_traits::{ScriptToDevtoolsControlMsg, WorkerId};
 use dom_struct::dom_struct;
 use ipc_channel::ipc::IpcSender;
@ -812,6 +813,15 @@ impl GlobalScope {
    pub fn get_user_agent(&self) -> Cow<'static, str> {
        self.user_agent.clone()
    }
+
+    /// https://www.w3.org/TR/CSP/#get-csp-of-object
+    pub fn get_csp_list(&self) -> Option<CspList> {
+        if let Some(window) = self.downcast::<Window>() {
+            return window.Document().get_csp_list().map(|c| c.clone());
+        }
+        // TODO: Worker and Worklet global scopes.
+        None
+    }
 }

 fn timestamp_in_ms(time: Timespec) -> u64 {