From d8c2a7eaf1091db1eb3a0f96401977cda7f27d83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20W=C3=BClker?= <simon.wuelker@arcor.de>
Date: Wed, 30 Apr 2025 22:53:24 +0200
Subject: [PATCH] Set cryptographic nonce metadata for module script fetch
 operations (#36776)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes a bunch of CSP errors on reddit.com

---------

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---
 components/script/script_module.rs            |  5 ++--
 .../dynamic-import/code-cache-nonce.html.ini  |  9 ------
 .../propagate-nonce-external-classic.html.ini |  3 --
 .../propagate-nonce-external-module.html.ini  |  2 --
 .../propagate-nonce-inline-classic.html.ini   |  3 --
 .../propagate-nonce-inline-module.html.ini    |  3 --
 .../string-compilation-nonce-classic.html.ini | 15 ----------
 .../string-compilation-nonce-module.html.ini  | 17 +----------
 .../dynamic-import/v8-code-cache.html.ini     | 30 -------------------
 9 files changed, 4 insertions(+), 83 deletions(-)
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini
 delete mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini

diff --git a/components/script/script_module.rs b/components/script/script_module.rs
index c7697adeea6..0aa35a2eda8 100644
--- a/components/script/script_module.rs
+++ b/components/script/script_module.rs
@@ -1369,7 +1369,7 @@ pub(crate) unsafe extern "C" fn host_import_module_dynamically(
     true
 }
 
-#[derive(Clone, JSTraceable, MallocSizeOf)]
+#[derive(Clone, Debug, JSTraceable, MallocSizeOf)]
 /// <https://html.spec.whatwg.org/multipage/#script-fetch-options>
 pub(crate) struct ScriptFetchOptions {
     #[no_trace]
@@ -1763,7 +1763,8 @@ fn fetch_single_module_script(
         .mode(mode)
         .insecure_requests_policy(global.insecure_requests_policy())
         .has_trustworthy_ancestor_origin(global.has_trustworthy_ancestor_origin())
-        .policy_container(global.policy_container().to_owned());
+        .policy_container(global.policy_container().to_owned())
+        .cryptographic_nonce_metadata(options.cryptographic_nonce.clone());
 
     let context = Arc::new(Mutex::new(ModuleContext {
         owner,
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
deleted file mode 100644
index ccad3276c85..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
+++ /dev/null
@@ -1,9 +0,0 @@
-[code-cache-nonce.html]
-  [First dynamic import should use nonce=abc]
-    expected: FAIL
-
-  [Second dynamic import should use nonce=def]
-    expected: FAIL
-
-  [Third dynamic import should use nonce=ghi]
-    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
deleted file mode 100644
index 0080e7908e9..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-[propagate-nonce-external-classic.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini
deleted file mode 100644
index 849c9b3e60d..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-module.html.ini
+++ /dev/null
@@ -1,2 +0,0 @@
-[propagate-nonce-external-module.html]
-  expected: TIMEOUT
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
deleted file mode 100644
index 74b32cc06dd..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-[propagate-nonce-inline-classic.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini
deleted file mode 100644
index eb08f590857..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-module.html.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-[propagate-nonce-inline-module.html]
-  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
-    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
index 9b3e3358ad3..8a3281def9e 100644
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
@@ -1,18 +1,3 @@
 [string-compilation-nonce-classic.html]
-  [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
   [setTimeout must inherit the nonce from the triggering script, thus execute]
     expected: FAIL
- 
-  [direct eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
- 
-  [indirect eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
- 
-  [the Function constructor must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
\ No newline at end of file
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
index 1d3b047b68b..98d0b640164 100644
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
@@ -1,18 +1,3 @@
 [string-compilation-nonce-module.html]
-  [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
-    expected: PASS
-
-  [direct eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
-  [indirect eval must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
-  [the Function constructor must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
-
   [setTimeout must inherit the nonce from the triggering script, thus execute]
-    expected: FAIL
\ No newline at end of file
+    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
deleted file mode 100644
index 64413107401..00000000000
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
+++ /dev/null
@@ -1,30 +0,0 @@
-[v8-code-cache.html]
-  [text/javascript: Run #1]
-    expected: FAIL
-
-  [text/javascript: Run #2]
-    expected: FAIL
-
-  [text/javascript: Run #3]
-    expected: FAIL
-
-  [text/javascript: Run #4]
-    expected: FAIL
-
-  [text/javascript: Run #5]
-    expected: FAIL
-
-  [module: Run #1]
-    expected: FAIL
-
-  [module: Run #2]
-    expected: FAIL
-
-  [module: Run #3]
-    expected: FAIL
-
-  [module: Run #4]
-    expected: FAIL
-
-  [module: Run #5]
-    expected: FAIL