net: Perform CSP checks on fetch responses. (#37154)

Also add clarifying comments to the SRI WPT tests with regards to the `www.` domain and how that interacts with the integrity checks. Lastly, adjust the casing for `Strict-Dynamic`, as in the post-request check that should also be case-insensitive. Closes servo/servo#37200 Closes servo/servo#36760 Fixes servo/servo#36499 Part of w3c/webappsec-csp#727 Fixes w3c/webappsec-csp#728 Part of servo/servo#4577 Signed-off-by: Josh Matthews <josh@joshmatthews.net> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-09-30 08:39:16 +01:00 · 2025-06-01 19:25:13 +02:00 · 2025-06-01 19:25:13 +02:00 · f710e2cab4
commit f710e2cab4
parent ed888e284b
18 changed files with 104 additions and 88 deletions
--- a/tests/wpt/meta/content-security-policy/connect-src/connect-src-syncxmlhttprequest-redirect-to-blocked.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/connect-src/connect-src-syncxmlhttprequest-redirect-to-blocked.sub.html.ini
@ -1,3 +0,0 @@
-[connect-src-syncxmlhttprequest-redirect-to-blocked.sub.html]
-  [Expecting logs: ["PASS Sync XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"\]]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/connect-src/connect-src-xmlhttprequest-redirect-to-blocked.sub.html.ini
@ -1,3 +0,0 @@
-[connect-src-xmlhttprequest-redirect-to-blocked.sub.html]
-  [Expecting logs: ["PASS XMLHttpRequest.send() did not follow the disallowed redirect.","TEST COMPLETE","violated-directive=connect-src"\]]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini
@ -1,6 +1,3 @@
 [script-tag.http.html]
  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini
@ -1,6 +1,3 @@
 [script-tag.https.html]
  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.http.html.ini
@ -1,6 +1,3 @@
 [script-tag.http.html]
  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.meta/script-src-self/script-tag.https.html.ini
@ -1,6 +1,3 @@
 [script-tag.https.html]
  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/generic/wildcard-host-part.sub.window.js.ini
+++ b/tests/wpt/meta/content-security-policy/generic/wildcard-host-part.sub.window.js.ini
@ -1,2 +0,0 @@
-[wildcard-host-part.sub.window.html]
-  expected: CRASH
--- a/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-connect-src.html.ini
+++ b/tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-connect-src.html.ini
@ -1,7 +1,4 @@
 [dedicatedworker-connect-src.html]
-  [Same-origin => cross-origin 'fetch()' in http: with connect-src 'self']
-    expected: FAIL
-
  [Reports match in http: with connect-src 'self']
    expected: FAIL

--- a/tests/wpt/meta/content-security-policy/reporting/report-original-url.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/reporting/report-original-url.sub.html.ini
@ -1,10 +1,3 @@
 [report-original-url.sub.html]
-  expected: TIMEOUT
-  [Block after redirect, same-origin = original URL in report]
-    expected: TIMEOUT
-
-  [Block after redirect, cross-origin = original URL in report]
-    expected: TIMEOUT
-
  [Violation report status OK.]
    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html.ini
@ -1,3 +0,0 @@
-[img-src-redirect.sub.html]
-  [The blocked URI in the security policy violation event should be the original URI before redirects.]
-    expected: FAIL