Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-15 19:33:46 +01:00
Code Issues Projects Releases Packages Wiki Activity

Implement initial version of ReportingObserver (#37905)

Browse source 
The specification moved around lately with how it defines its reports
and report bodies. They became dictionaries, but are currently missing
some fields [1].

Most tests won't be passing yet, since the `Reporting-Endpoints` header
isn't used yet. In fact, the specification leaves it up to the browser
to figure out when to run this task [2]. I am not sure if there some
background scheduling we can do here.

Confirmed with content-security-policy/reporting-api/
report-to-directive-allowed-in-meta.https.sub.html that the callback is
invoked. The test doesn't pass, since
the `describe_scripted_caller` is empty for HTML elements. Thus the
`source_file` is empty, whereas it should be equivalent to the current
document URL.

Part of #37328

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

[1]: https://github.com/w3c/reporting/issues/286
[2]: https://w3c.github.io/reporting/#report-delivery
This commit is contained in:
Tim van der Lippe 2025-07-07 12:43:30 +02:00 committed by GitHub
parent 3d4868592a
commit fcb2a4cd95
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 551 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

19
components/script/security_manager.rs
View file

@ -26,6 +26,7 @@ use crate::dom::csppolicyviolationreport::{
use crate::dom::event::{Event, EventBubbles, EventCancelable, EventComposed};
use crate::dom::eventtarget::EventTarget;
use crate::dom::performanceresourcetiming::InitiatorType;
use crate::dom::reportingobserver::ReportingObserver;
use crate::dom::securitypolicyviolationevent::SecurityPolicyViolationEvent;
use crate::dom::types::GlobalScope;
use crate::fetch::create_a_potential_cors_request;
@ -156,6 +157,24 @@ impl TaskOnce for CSPViolationReportTask {
{
self.post_csp_violation_to_report_uri(report_uri_directive);
}
// Step 3.5. If violations policys directive set contains a directive named "report-to" directive:
if let Some(report_to_directive) = self
.violation_policy
.directive_set
.iter()
.find(|directive| directive.name == "report-to")
{
// Step 3.5.1. Let body be a new CSPViolationReportBody, initialized as follows:
let body = self.violation_report.clone().convert();
// Step 3.5.2. Let settings object be violations global objects relevant settings object.
// Step 3.5.3. Generate and queue a report with the following arguments:
ReportingObserver::generate_and_queue_a_report(
&self.global.root(),
"csp-violation".into(),
Some(body),
report_to_directive.value.join(" ").into(),
)
}
}
}