Support CSP report-only header (#36623)

This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.

I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.

Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.

Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.

Part of #36437

Requires servo/rust-content-security-policy#5

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
This commit is contained in:
Tim van der Lippe 2025-04-25 21:59:44 +02:00 committed by GitHub
parent 4ff45f86b9
commit baa18e18af
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
23 changed files with 113 additions and 208 deletions

View file

@ -2,8 +2,11 @@
[multiple matching integrity]
expected: FAIL
[partially matching integrity]
[matching integrity]
expected: FAIL
[External script in a script tag with matching SRI hash should run.]
[matching integrity (case-insensitive algorithm)]
expected: FAIL
[matching plus unsupported integrity]
expected: FAIL

View file

@ -1,6 +0,0 @@
[304-response-should-update-csp.sub.html]
[Test that the first frame does not use nonce def]
expected: FAIL
[Test that the second frame does not use nonce abc]
expected: FAIL

View file

@ -1,4 +0,0 @@
[img-src-self-unique-origin.html]
expected: TIMEOUT
[Image's url must not match with 'self'. Image must be blocked.]
expected: TIMEOUT

View file

@ -1,19 +1,19 @@
[prefetch-generate-directives.html]
expected: TIMEOUT
[Test that script-src enabled with everything else disabled allows prefetching]
expected: FAIL
expected: TIMEOUT
[Test that script-src enabled with default-src disabled allows prefetching]
expected: FAIL
expected: NOTRUN
[Test that img-src enabled with everything else disabled allows prefetching]
expected: FAIL
expected: NOTRUN
[Test that img-src enabled with default-src disabled allows prefetching]
expected: FAIL
expected: NOTRUN
[Test that connect-src enabled with everything else disabled allows prefetching]
expected: TIMEOUT
expected: NOTRUN
[Test that connect-src enabled with default-src disabled allows prefetching]
expected: NOTRUN

View file

@ -1,6 +0,0 @@
[script-src-report-only-policy-works-with-external-hash-policy.html]
[Should fire securitypolicyviolation event]
expected: FAIL
[External script in a script tag with matching SRI hash should run.]
expected: FAIL

View file

@ -2,8 +2,11 @@
[multiple matching integrity]
expected: FAIL
[partially matching integrity]
[matching integrity]
expected: FAIL
[External script in a script tag with matching SRI hash should run.]
[matching integrity (case-insensitive algorithm)]
expected: FAIL
[matching plus unsupported integrity]
expected: FAIL

View file

@ -1,3 +0,0 @@
[script-src-strict_dynamic_discard_source_expressions.html]
[Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
[Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
expected: FAIL

View file

@ -1,29 +1,5 @@
[script-src-strict_dynamic_parser_inserted.html]
expected: TIMEOUT
[Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
expected: FAIL
[Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
expected: TIMEOUT
[Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
expected: TIMEOUT

View file

@ -1,8 +1,5 @@
[upgrade-insecure-requests-reporting.https.html]
expected: TIMEOUT
[Upgraded image is reported]
expected: TIMEOUT
[Upgraded iframe is reported]
expected: TIMEOUT

View file

@ -1,30 +0,0 @@
[should-trusted-type-policy-creation-be-blocked-by-csp-001.html]
[single report-only policy with directive "trusted-type tt-policy-name"]
expected: FAIL
[single report-only policy with directive "trusted-type *"]
expected: FAIL
[single report-only policy with directive "trusted-type 'none'"]
expected: FAIL
[single report-only policy with directive "trusted-type 'allow-duplicates'"]
expected: FAIL
[single report-only policy with directive "trusted-type tt-policy-name 'allow-duplicates'"]
expected: FAIL
[single report-only policy with directive "trusted-type 'none' 'allow-duplicates'"]
expected: FAIL
[single report-only policy with directive "trusted-type 'none' tt-policy-name"]
expected: FAIL
[single report-only policy with directive "trusted-type 'none' *"]
expected: FAIL
[single report-only policy with directive "trusted-type tt-policy-name *"]
expected: FAIL
[single report-only policy with directive "trusted-type tt-policy-name1 tt-policy-name2 tt-policy-name3"]
expected: FAIL

View file

@ -1,8 +1,5 @@
[should-trusted-type-policy-creation-be-blocked-by-csp-002.html]
expected: TIMEOUT
[invalid tt-policy-name name "policy name"]
expected: FAIL
[invalid tt-policy-name name "policy*name"]
expected: FAIL

View file

@ -1,15 +0,0 @@
[should-trusted-type-policy-creation-be-blocked-by-csp-003.html]
[Multiple report-only trusted-types directives.]
expected: FAIL
[One violated report-only trusted-types directive followed by multiple enforce directives.]
expected: FAIL
[One violated enforce trusted-types directive followed by multiple report-only directives.]
expected: FAIL
[Mixing enforce and report-only policies with trusted-types directives]
expected: FAIL
[Mixing enforce and report-only policies with trusted-types directives (duplicate policy)]
expected: FAIL

View file

@ -1,6 +0,0 @@
[should-trusted-type-policy-creation-be-blocked-by-csp-004-worker.html]
[Exception and violations for CSP with multiple enforce and report-only policies.]
expected: FAIL
[Location of trusted-types violations.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[should-trusted-type-policy-creation-be-blocked-by-csp-005.html]
[Location of trusted-types violations.]
expected: FAIL

View file

@ -4,6 +4,3 @@
[Trusted Type violation report: evaluating a Trusted Script violates script-src.]
expected: FAIL
[Trusted Type violation report: script-src restrictions apply after the default policy runs.]
expected: FAIL

View file

@ -1,7 +1,4 @@
[trusted-types-reporting.html]
[Trusted Type violation report: creating a forbidden policy.]
expected: FAIL
[Trusted Type violation report: creating a report-only-forbidden policy.]
expected: FAIL