Check CSP for javascript: URLs (#36709)

Also update a WPT test to fail-fast if the iframe incorrectly evaluates the `eval`. Before, it would run into a timeout if the implementation is correct. Now we reject the promise when an exception is thrown. Requires servo/rust-content-security-policy#6 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-06-06 16:45:39 +00:00 · 2025-05-02 22:13:31 +02:00 · 2025-05-02 22:13:31 +02:00 · dd63325f50
commit dd63325f50
parent b8971e528f
16 changed files with 70 additions and 57 deletions
--- a/components/script/script_thread.rs
+++ b/components/script/script_thread.rs
@ -598,7 +598,7 @@ impl ScriptThread {
        with_script_thread(|script_thread| {
            let is_javascript = load_data.url.scheme() == "javascript";
            // If resource is a request whose url's scheme is "javascript"
-            // https://html.spec.whatwg.org/multipage/#javascript-protocol
+            // https://html.spec.whatwg.org/multipage/#navigate-to-a-javascript:-url
            if is_javascript {
                let window = match script_thread.documents.borrow().find_window(pipeline_id) {
                    None => return,
@ -612,8 +612,12 @@ impl ScriptThread {
                    .clone();
                let task = task!(navigate_javascript: move || {
                    // Important re security. See https://github.com/servo/servo/issues/23373
-                    // TODO: check according to https://w3c.github.io/webappsec-csp/#should-block-navigation-request
                    if let Some(window) = trusted_global.root().downcast::<Window>() {
+                        // Step 5: If the result of should navigation request of type be blocked by
+                        // Content Security Policy? given request and cspNavigationType is "Blocked", then return. [CSP]
+                        if trusted_global.root().should_navigation_request_be_blocked(&load_data) {
+                            return;
+                        }
                        if ScriptThread::check_load_origin(&load_data.load_origin, &window.get_url().origin()) {
                            ScriptThread::eval_js_url(&trusted_global.root(), &mut load_data, CanGc::note());
                            sender
@ -622,6 +626,7 @@ impl ScriptThread {
                        }
                    }
                });
+                // Step 19 of <https://html.spec.whatwg.org/multipage/#navigate>
                global
                    .task_manager()
                    .dom_manipulation_task_source()