net: Perform CSP checks on fetch responses. (#37154)

Also add clarifying comments to the SRI WPT tests with regards to the `www.` domain and how that interacts with the integrity checks. Lastly, adjust the casing for `Strict-Dynamic`, as in the post-request check that should also be case-insensitive. Closes servo/servo#37200 Closes servo/servo#36760 Fixes servo/servo#36499 Part of w3c/webappsec-csp#727 Fixes w3c/webappsec-csp#728 Part of servo/servo#4577 Signed-off-by: Josh Matthews <josh@joshmatthews.net> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Co-authored-by: Josh Matthews <josh@joshmatthews.net>
2025-09-30 08:39:16 +01:00 · 2025-06-01 19:25:13 +02:00 · 2025-06-01 19:25:13 +02:00 · f710e2cab4
commit f710e2cab4
parent ed888e284b
18 changed files with 104 additions and 88 deletions
--- a/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.http.html.ini
@ -1,6 +1,3 @@
 [script-tag.http.html]
  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-http origin and swap-origin redirection from http context.: securitypolicyviolation]
-    expected: FAIL
--- a/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini
+++ b/tests/wpt/meta/content-security-policy/gen/top.http-rp/script-src-self/script-tag.https.html.ini
@ -1,6 +1,3 @@
 [script-tag.https.html]
  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.]
    expected: FAIL
-
-  [Content Security Policy: Expects blocked for script-tag to same-https origin and swap-origin redirection from https context.: securitypolicyviolation]
-    expected: FAIL