Implement inline CSP check for style element (#36860)

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

components/script/dom/document.rs

@@ -4307,16 +4307,16 @@ impl Document {
         type_: csp::InlineCheckType,
         source: &str,
     ) -> csp::CheckResult {
-        let element = csp::Element {
-            nonce: el
-                .get_attribute(&ns!(), &local_name!("nonce"))
-                .map(|attr| Cow::Owned(attr.value().to_string())),
-        };
         let (result, violations) = match self.get_csp_list() {
             None => {
                 return csp::CheckResult::Allowed;
             },
             Some(csp_list) => {
+                let element = csp::Element {
+                    nonce: el
+                        .get_attribute(&ns!(), &local_name!("nonce"))
+                        .map(|attr| Cow::Owned(attr.value().to_string())),
+                };
                 csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
             },
         };

components/script/dom/htmlstyleelement.rs

@@ -4,6 +4,7 @@
 
 use std::cell::Cell;
 
+use content_security_policy as csp;
 use dom_struct::dom_struct;
 use html5ever::{LocalName, Prefix};
 use js::rust::HandleObject;
@@ -97,8 +98,21 @@ impl HTMLStyleElement {
             return;
         }
 
-        let window = node.owner_window();
         let doc = self.owner_document();
+
+        // Step 5: If the Should element's inline behavior be blocked by Content Security Policy? algorithm
+        // returns "Blocked" when executed upon the style element, "style",
+        // and the style element's child text content, then return. [CSP]
+        if doc.should_elements_inline_type_behavior_be_blocked(
+            self.upcast(),
+            csp::InlineCheckType::Style,
+            &node.child_text_content(),
+        ) == csp::CheckResult::Blocked
+        {
+            return;
+        }
+
+        let window = node.owner_window();
         let data = node
             .GetTextContent()
             .expect("Element.textContent must be a string");

tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed.html.ini

@@ -1,7 +0,0 @@
-[style-src-elem-blocked-attr-allowed.html]
-  expected: TIMEOUT
-  [Should fire a security policy violation for the inline block]
-    expected: NOTRUN
-
-  [The inline style should not be applied and the attribute style should be applied]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed.html.ini

@@ -1,7 +0,0 @@
-[style-src-elem-blocked-src-allowed.html]
-  expected: TIMEOUT
-  [Should fire a security policy violation event]
-    expected: NOTRUN
-
-  [The inline style should not be applied]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/injected-inline-style-blocked.sub.html.ini

@@ -1,3 +0,0 @@
-[injected-inline-style-blocked.sub.html]
-  [Expecting logs: ["violated-directive=style-src-elem","violated-directive=style-src-elem","PASS"\]]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/inline-style-blocked.sub.html.ini

@@ -1,7 +0,0 @@
-[inline-style-blocked.sub.html]
-  expected: TIMEOUT
-  [Triggers securitypolicyviolation.]
-    expected: TIMEOUT
-
-  [Inline style element is blocked by CSP.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/style-src-hash-blocked.html.ini

@@ -1,7 +1,4 @@
 [style-src-hash-blocked.html]
   expected: TIMEOUT
-  [Should not load style that does not match hash]
-    expected: FAIL
-
   [Should fire a securitypolicyviolation event]
     expected: NOTRUN

tests/wpt/meta/content-security-policy/style-src/style-src-hash-case-insensitive.html.ini

@@ -0,0 +1,3 @@
+[style-src-hash-case-insensitive.html]
+  [All style elements should load because they have proper hashes]
+    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/style-src-injected-inline-style-blocked.html.ini

@@ -1,7 +1,4 @@
 [style-src-injected-inline-style-blocked.html]
   expected: TIMEOUT
-  [Injected style attributes should not be applied]
-    expected: FAIL
-
   [Should fire a securitypolicyviolation event]
     expected: NOTRUN

tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-blocked.html.ini

@@ -1,7 +1,4 @@
 [style-src-inline-style-blocked.html]
   expected: TIMEOUT
-  [Inline style element should not load without 'unsafe-inline']
-    expected: FAIL
-
   [Should fire a securitypolicyviolation event]
     expected: NOTRUN

tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-nonce-blocked.html.ini

@@ -1,7 +1,4 @@
 [style-src-inline-style-nonce-blocked.html]
   expected: TIMEOUT
-  [Should not load inline style element with invalid nonce]
-    expected: FAIL
-
   [Should fire a securitypolicyviolation event]
     expected: NOTRUN

tests/wpt/meta/content-security-policy/style-src/stylehash-basic-blocked.sub.html.ini

@@ -1,3 +0,0 @@
-[stylehash-basic-blocked.sub.html]
-  [Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"\]]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/stylenonce-allowed.sub.html.ini

@@ -1,7 +0,0 @@
-[stylenonce-allowed.sub.html]
-  expected: TIMEOUT
-  [Should fire securitypolicyviolation]
-    expected: NOTRUN
-
-  [stylenonce-allowed]
-    expected: FAIL

tests/wpt/meta/content-security-policy/style-src/stylenonce-blocked.sub.html.ini

@@ -1,7 +0,0 @@
-[stylenonce-blocked.sub.html]
-  expected: TIMEOUT
-  [Should fire securitypolicyviolation]
-    expected: NOTRUN
-
-  [stylenonce-blocked]
-    expected: FAIL