Add CSP check for inline style attribute (#36923)

To be able to abort the update, extract the functionality into a
separate method. Otherwise, we don't run the `node.rev_version` at the
end, which according to the comment is probably important.

Not all `style-src` tests pass and I don't fully understand why yet, but
I presume it has to do with some special quirks of stylesheets that
other CSP checks don't have. All `style-src-attr-elem` tests pass
though.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-09 19:36:55 +02:00 committed by GitHub
parent 565e16178f
commit d0de4e64d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 124 additions and 79 deletions

View file

@ -571866,6 +571866,13 @@
{}
]
],
"style-src-inline-style-with-csstext.html": [
"5e812b4aee9d0d081673a0f333f8b29187619c3d",
[
null,
{}
]
],
"style-src-multiple-policies-multiple-hashing-algorithms.html": [
"027c61d8c632f2387408b8fb6869dee69bb8913d",
[

View file

@ -1,7 +0,0 @@
[style-src-attr-blocked-src-allowed.html]
expected: TIMEOUT
[Should fire a security policy violation event]
expected: NOTRUN
[The attribute style should not be applied]
expected: FAIL

View file

@ -1,7 +0,0 @@
[style-src-elem-allowed-attr-blocked.html]
expected: TIMEOUT
[Should fire a security policy violation for the attribute]
expected: NOTRUN
[The attribute style should not be applied and the inline style should be applied]
expected: FAIL

View file

@ -1,13 +1,36 @@
[inline-style-allowed-while-cloning-objects.sub.html]
expected: TIMEOUT
[Test that violation report event was fired]
expected: NOTRUN
[inline-style-allowed-while-cloning-objects 12]
expected: FAIL
[inline-style-allowed-while-cloning-objects 14]
expected: FAIL
[non-HTML namespace]
expected: FAIL
[inline-style-allowed-while-cloning-objects 1]
expected: FAIL
[inline-style-allowed-while-cloning-objects 3]
expected: FAIL
[inline-style-allowed-while-cloning-objects 5]
expected: FAIL
[inline-style-allowed-while-cloning-objects 7]
expected: FAIL
[inline-style-allowed-while-cloning-objects 8]
expected: FAIL
[inline-style-allowed-while-cloning-objects 9]
expected: FAIL
[inline-style-allowed-while-cloning-objects 10]
expected: FAIL
[inline-style-allowed-while-cloning-objects 11]
expected: FAIL
[inline-style-allowed-while-cloning-objects 17]
expected: FAIL
[inline-style-allowed-while-cloning-objects 18]
expected: FAIL
[inline-style-allowed-while-cloning-objects 19]
expected: FAIL

View file

@ -1,3 +0,0 @@
[inline-style-attribute-blocked.sub.html]
[Expecting logs: ["violated-directive=style-src-attr","PASS"\]]
expected: FAIL

View file

@ -1,7 +0,0 @@
[style-src-inline-style-attribute-blocked.html]
expected: TIMEOUT
[Inline style attribute should not be applied without 'unsafe-inline']
expected: FAIL
[Should fire a securitypolicyviolation event]
expected: NOTRUN

View file

@ -1,4 +0,0 @@
[style_attribute_denied_missing_unsafe_hashes.html]
expected: TIMEOUT
[Test that the inline style attribute is blocked]
expected: NOTRUN

View file

@ -1,4 +0,0 @@
[style_attribute_denied_wrong_hash.html]
expected: TIMEOUT
[Test that the inline style attribute is blocked]
expected: NOTRUN

View file

@ -0,0 +1,29 @@
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="style-src 'self';">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
var t = async_test("Manipulating cssText should be allowed with 'self'");
document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
</script>
</head>
<body>
<div id='log'></div>
<div id="content">Lorem ipsum</div>
<script>
t.step(function() {
var contentEl = document.getElementById("content");
contentEl.style.cssText = 'margin-left: 2px;';
var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
assert_equals(marginLeftVal, "2px");
t.done();
});
</script>
</body>
</html>