Workers created from Blobs inherit their CSP. Now we inherit the CSP and
set the correct base API url. The base API url should be used when
determining the
report-uri endpoint. Otherwise, the blob URL would be used as a base,
which is invalid and the report wouldn't be sent.
Also create a helper method to concatenate two optionals of CSPList,
which was used in several places.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Also add clarifying comments to the SRI WPT tests with
regards to the `www.` domain and how that interacts with
the integrity checks.
Lastly, adjust the casing for `Strict-Dynamic`, as in
the post-request check that should also be case-insensitive.
Closesservo/servo#37200Closesservo/servo#36760Fixesservo/servo#36499
Part of w3c/webappsec-csp#727Fixesw3c/webappsec-csp#728
Part of servo/servo#4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This makes sure that when workers are created, their global scope has
the correct policy-container set
so that we can do CSP-checks.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.
Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
