The check was incorrect, where it was never matching and always
discarding the element. Instead, we should check the owner document,
which is the shadow-including root of the node.
Part of #4577
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.
Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).
Fixes#36806
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This also ensures that document now reports all violations and we set
the correct directive.
With these changes, all `script-src-attr-elem` WPT tests pass.
Part of #36437
Requires servo/rust-content-security-policy#3 to land first
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This will establish a baseline for the changes from #36363.
Testing: New tests in CI.
Fixes: Part of #4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
