script: Fix check for document root when targeting CSP events (#37474)

The check was incorrect, where it was never matching and always discarding the element. Instead, we should check the owner document, which is the shadow-including root of the node. Part of #4577 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-08-06 14:10:11 +01:00 · 2025-06-15 16:54:41 +02:00 · 2025-06-15 16:54:41 +02:00 · f2d0be1b9a
commit f2d0be1b9a
parent 576c7445b8
9 changed files with 15 additions and 34 deletions
--- a/components/script/dom/globalscope.rs
+++ b/components/script/dom/globalscope.rs
@ -121,7 +121,7 @@ use crate::dom::htmlscriptelement::{ScriptId, SourceCode};
 use crate::dom::imagebitmap::ImageBitmap;
 use crate::dom::messageevent::MessageEvent;
 use crate::dom::messageport::MessagePort;
-use crate::dom::node::Node;
+use crate::dom::node::{Node, NodeTraits};
 use crate::dom::paintworkletglobalscope::PaintWorkletGlobalScope;
 use crate::dom::performance::Performance;
 use crate::dom::performanceobserver::VALID_ENTRY_TYPES;
@ -2934,7 +2934,11 @@ impl GlobalScope {
        is_js_evaluation_allowed == CheckResult::Allowed
    }

-    pub(crate) fn should_navigation_request_be_blocked(&self, load_data: &LoadData) -> bool {
+    pub(crate) fn should_navigation_request_be_blocked(
+        &self,
+        load_data: &LoadData,
+        element: Option<&Element>,
+    ) -> bool {
        let Some(csp_list) = self.get_csp_list() else {
            return false;
        };
@ -2956,7 +2960,7 @@ impl GlobalScope {
        let (result, violations) =
            csp_list.should_navigation_request_be_blocked(&request, NavigationCheckType::Other);

-        self.report_csp_violations(violations, None);
+        self.report_csp_violations(violations, element);

        result == CheckResult::Blocked
    }
@ -3627,11 +3631,10 @@ impl GlobalScope {
                // Step 3.1: If target is not null, and global is a Window,
                // and target’s shadow-including root is not global’s associated Document, set target to null.
                if let Some(window) = self.downcast::<Window>() {
-                    if !window
-                        .Document()
-                        .upcast::<Node>()
-                        .is_shadow_including_inclusive_ancestor_of(event_target.upcast())
-                    {
+                    // If a node is connected, its owner document is always the shadow-including root.
+                    // If it isn't connected, then it also doesn't have a corresponding document, hence
+                    // it can't be this document.
+                    if event_target.upcast::<Node>().owner_document() != window.Document() {
                        return None;
                    }
                }