Implement inline CSP check for style element (#36860)

Part of #4577 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-06-06 16:45:39 +00:00 · 2025-05-06 20:52:27 +02:00 · 2025-05-06 20:52:27 +02:00 · e9f364ef51
commit e9f364ef51
parent d73b7653b4
14 changed files with 23 additions and 59 deletions
--- a/components/script/dom/document.rs
+++ b/components/script/dom/document.rs
@ -4307,16 +4307,16 @@ impl Document {
        type_: csp::InlineCheckType,
        source: &str,
    ) -> csp::CheckResult {
-        let element = csp::Element {
-            nonce: el
-                .get_attribute(&ns!(), &local_name!("nonce"))
-                .map(|attr| Cow::Owned(attr.value().to_string())),
-        };
        let (result, violations) = match self.get_csp_list() {
            None => {
                return csp::CheckResult::Allowed;
            },
            Some(csp_list) => {
+                let element = csp::Element {
+                    nonce: el
+                        .get_attribute(&ns!(), &local_name!("nonce"))
+                        .map(|attr| Cow::Owned(attr.value().to_string())),
+                };
                csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
            },
        };
--- a/components/script/dom/htmlstyleelement.rs
+++ b/components/script/dom/htmlstyleelement.rs
@ -4,6 +4,7 @@

 use std::cell::Cell;

+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use html5ever::{LocalName, Prefix};
 use js::rust::HandleObject;
@ -97,8 +98,21 @@ impl HTMLStyleElement {
            return;
        }

-        let window = node.owner_window();
        let doc = self.owner_document();
+
+        // Step 5: If the Should element's inline behavior be blocked by Content Security Policy? algorithm
+        // returns "Blocked" when executed upon the style element, "style",
+        // and the style element's child text content, then return. [CSP]
+        if doc.should_elements_inline_type_behavior_be_blocked(
+            self.upcast(),
+            csp::InlineCheckType::Style,
+            &node.child_text_content(),
+        ) == csp::CheckResult::Blocked
+        {
+            return;
+        }
+
+        let window = node.owner_window();
        let data = node
            .GetTextContent()
            .expect("Element.textContent must be a string");