Check CSP for javascript: URLs (#36709)

Also update a WPT test to fail-fast if the iframe incorrectly evaluates the `eval`. Before, it would run into a timeout if the implementation is correct. Now we reject the promise when an exception is thrown. Requires servo/rust-content-security-policy#6 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-08-12 17:05:33 +01:00 · 2025-05-02 22:13:31 +02:00 · 2025-05-02 22:13:31 +02:00 · dd63325f50
commit dd63325f50
parent b8971e528f
16 changed files with 70 additions and 57 deletions
--- a/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_javascript_uri.html.ini
@ -1,4 +0,0 @@
-[script-src-strict_dynamic_javascript_uri.html]
-  expected: TIMEOUT
-  [Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
--- a/tests/wpt/meta/content-security-policy/script-src/script-src-trusted_types_eval_with_require_trusted_types_eval.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/script-src-trusted_types_eval_with_require_trusted_types_eval.html.ini
@ -1,13 +0,0 @@
-[script-src-trusted_types_eval_with_require_trusted_types_eval.html]
-  expected: ERROR
-  [Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via indirect `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via `new Function` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL
-
-  [Script injected via `setTimeout` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.]
-    expected: FAIL