Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-06-06 16:45:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

Implement inline CSP check for style element (#36860)

Browse source 
Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-06 20:52:27 +02:00 committed by GitHub
parent d73b7653b4
commit e9f364ef51
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 23 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

10
components/script/dom/document.rs
View file

@ -4307,16 +4307,16 @@ impl Document {
type_: csp::InlineCheckType,
source: &str,
) -> csp::CheckResult {
let element = csp::Element {
nonce: el
.get_attribute(&ns!(), &local_name!("nonce"))
.map(|attr| Cow::Owned(attr.value().to_string())),
};
let (result, violations) = match self.get_csp_list() {
None => {
return csp::CheckResult::Allowed;
},
Some(csp_list) => {
let element = csp::Element {
nonce: el
.get_attribute(&ns!(), &local_name!("nonce"))
.map(|attr| Cow::Owned(attr.value().to_string())),
};
csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
},
};

16
components/script/dom/htmlstyleelement.rs
View file

@ -4,6 +4,7 @@
use std::cell::Cell;
use content_security_policy as csp;
use dom_struct::dom_struct;
use html5ever::{LocalName, Prefix};
use js::rust::HandleObject;
@ -97,8 +98,21 @@ impl HTMLStyleElement {
return;
}
let window = node.owner_window();
let doc = self.owner_document();
// Step 5: If the Should element's inline behavior be blocked by Content Security Policy? algorithm
// returns "Blocked" when executed upon the style element, "style",
// and the style element's child text content, then return. [CSP]
if doc.should_elements_inline_type_behavior_be_blocked(
self.upcast(),
csp::InlineCheckType::Style,
&node.child_text_content(),
) == csp::CheckResult::Blocked
{
return;
}
let window = node.owner_window();
let data = node
.GetTextContent()
.expect("Element.textContent must be a string");

7
tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html.ini vendored
View file

@ -1,7 +0,0 @@
[style-src-elem-blocked-attr-allowed.html]
expected: TIMEOUT
[Should fire a security policy violation for the inline block]
expected: NOTRUN
[The inline style should not be applied and the attribute style should be applied]
expected: FAIL

7
tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html.ini vendored
View file

@ -1,7 +0,0 @@
[style-src-elem-blocked-src-allowed.html]
expected: TIMEOUT
[Should fire a security policy violation event]
expected: NOTRUN
[The inline style should not be applied]
expected: FAIL

3
tests/wpt/meta/content-security-policy/style-src/injected-inline-style-blocked.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[injected-inline-style-blocked.sub.html]
[Expecting logs: ["violated-directive=style-src-elem","violated-directive=style-src-elem","PASS"\]]
expected: FAIL

7
tests/wpt/meta/content-security-policy/style-src/inline-style-blocked.sub.html.ini vendored
View file

@ -1,7 +0,0 @@
[inline-style-blocked.sub.html]
expected: TIMEOUT
[Triggers securitypolicyviolation.]
expected: TIMEOUT
[Inline style element is blocked by CSP.]
expected: FAIL

3
tests/wpt/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-hash-blocked.html]
expected: TIMEOUT
[Should not load style that does not match hash]
expected: FAIL
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/style-src-hash-case-insensitive.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[style-src-hash-case-insensitive.html]
[All style elements should load because they have proper hashes]
expected: FAIL

3
tests/wpt/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-injected-inline-style-blocked.html]
expected: TIMEOUT
[Injected style attributes should not be applied]
expected: FAIL
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-inline-style-blocked.html]
expected: TIMEOUT
[Inline style element should not load without 'unsafe-inline']
expected: FAIL
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini vendored
View file

@ -1,7 +1,4 @@
[style-src-inline-style-nonce-blocked.html]
expected: TIMEOUT
[Should not load inline style element with invalid nonce]
expected: FAIL
[Should fire a securitypolicyviolation event]
expected: NOTRUN

3
tests/wpt/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[stylehash-basic-blocked.sub.html]
[Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"\]]
expected: FAIL

7
tests/wpt/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini vendored
View file

@ -1,7 +0,0 @@
[stylenonce-allowed.sub.html]
expected: TIMEOUT
[Should fire securitypolicyviolation]
expected: NOTRUN
[stylenonce-allowed]
expected: FAIL

7
tests/wpt/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini vendored
View file

@ -1,7 +0,0 @@
[stylenonce-blocked.sub.html]
expected: TIMEOUT
[Should fire securitypolicyviolation]
expected: NOTRUN
[stylenonce-blocked]
expected: FAIL