net: Perform CSP checks on fetch responses. (#37154)

Also add clarifying comments to the SRI WPT tests with
regards to the `www.` domain and how that interacts with
the integrity checks.

Lastly, adjust the casing for `Strict-Dynamic`, as in
the post-request check that should also be case-insensitive.

Closes servo/servo#37200
Closes servo/servo#36760
Fixes servo/servo#36499
Part of w3c/webappsec-csp#727
Fixes w3c/webappsec-csp#728
Part of servo/servo#4577

Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Tim van der Lippe 2025-06-01 19:25:13 +02:00 committed by GitHub
parent ed888e284b
commit f710e2cab4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
18 changed files with 104 additions and 88 deletions

View file

@ -43,7 +43,8 @@ use crate::async_runtime::HANDLE;
use crate::connector::{CACertificates, TlsConfig, create_tls_config};
use crate::cookie::ServoCookie;
use crate::fetch::methods::{
should_request_be_blocked_by_csp, should_request_be_blocked_due_to_a_bad_port,
convert_request_to_csp_request, should_request_be_blocked_by_csp,
should_request_be_blocked_due_to_a_bad_port,
};
use crate::hosts::replace_host;
use crate::http_loader::HttpState;
@ -390,14 +391,18 @@ fn connect(
RequestPolicyContainer::PolicyContainer(container) => container.to_owned(),
};
let (check_result, violations) = should_request_be_blocked_by_csp(&request, &policy_container);
if let Some(csp_request) = convert_request_to_csp_request(&request) {
let (check_result, violations) =
should_request_be_blocked_by_csp(&csp_request, &policy_container);
if !violations.is_empty() {
let _ = resource_event_sender.send(WebSocketNetworkEvent::ReportCSPViolations(violations));
}
if !violations.is_empty() {
let _ =
resource_event_sender.send(WebSocketNetworkEvent::ReportCSPViolations(violations));
}
if check_result == csp::CheckResult::Blocked {
return Err("Blocked by Content-Security-Policy".to_string());
if check_result == csp::CheckResult::Blocked {
return Err("Blocked by Content-Security-Policy".to_string());
}
}
let client = match create_request(