Set cryptographic nonce metadata for module script fetch operations (#36776)

This fixes a bunch of CSP errors on reddit.com --------- Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
2025-08-03 04:30:10 +01:00 · 2025-04-30 22:53:24 +02:00 · 2025-04-30 22:53:24 +02:00 · d8c2a7eaf1
commit d8c2a7eaf1
parent 53107ec157
9 changed files with 4 additions and 83 deletions
--- a/components/script/script_module.rs
+++ b/components/script/script_module.rs
@ -1369,7 +1369,7 @@ pub(crate) unsafe extern "C" fn host_import_module_dynamically(
    true
 }

-#[derive(Clone, JSTraceable, MallocSizeOf)]
+#[derive(Clone, Debug, JSTraceable, MallocSizeOf)]
 /// <https://html.spec.whatwg.org/multipage/#script-fetch-options>
 pub(crate) struct ScriptFetchOptions {
    #[no_trace]
@ -1763,7 +1763,8 @@ fn fetch_single_module_script(
        .mode(mode)
        .insecure_requests_policy(global.insecure_requests_policy())
        .has_trustworthy_ancestor_origin(global.has_trustworthy_ancestor_origin())
-        .policy_container(global.policy_container().to_owned());
+        .policy_container(global.policy_container().to_owned())
+        .cryptographic_nonce_metadata(options.cryptographic_nonce.clone());

    let context = Arc::new(Mutex::new(ModuleContext {
        owner,
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
@ -1,9 +0,0 @@
-[code-cache-nonce.html]
-  [First dynamic import should use nonce=abc]
-    expected: FAIL
-
-  [Second dynamic import should use nonce=def]
-    expected: FAIL
-
-  [Third dynamic import should use nonce=ghi]
-    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
@ -1,3 +0,0 @@
-[propagate-nonce-external-classic.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini
@ -1,2 +0,0 @@
-[propagate-nonce-external-module.html]
-  expected: TIMEOUT
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
@ -1,3 +0,0 @@
-[propagate-nonce-inline-classic.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini
@ -1,3 +0,0 @@
-[propagate-nonce-inline-module.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
@ -1,18 +1,3 @@
 [string-compilation-nonce-classic.html]
-  [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
  [setTimeout must inherit the nonce from the triggering script, thus execute]
    expected: FAIL
- 
-  [direct eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
- 
-  [indirect eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
- 
-  [the Function constructor must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
@ -1,18 +1,3 @@
 [string-compilation-nonce-module.html]
-  [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [direct eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
-  [indirect eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
-  [the Function constructor must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
  [setTimeout must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
+    expected: FAIL
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
@ -1,30 +0,0 @@
-[v8-code-cache.html]
-  [text/javascript: Run #1]
-    expected: FAIL
-
-  [text/javascript: Run #2]
-    expected: FAIL
-
-  [text/javascript: Run #3]
-    expected: FAIL
-
-  [text/javascript: Run #4]
-    expected: FAIL
-
-  [text/javascript: Run #5]
-    expected: FAIL
-
-  [module: Run #1]
-    expected: FAIL
-
-  [module: Run #2]
-    expected: FAIL
-
-  [module: Run #3]
-    expected: FAIL
-
-  [module: Run #4]
-    expected: FAIL
-
-  [module: Run #5]
-    expected: FAIL