Any CSP violations happening when loading a worker should be reported
on the global of the document that creates the worker. Since workers
run in different threads, we can't pass in this parent global into
the worker global scope. Instead, we need to send a message to the
parent event loop to report it on the correct global.
Part of https://github.com/servo/servo/issues/4577
Fixes https://github.com/servo/servo/issues/37027
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Workers created from Blobs inherit their CSP. Now we inherit the CSP and
set the correct base API url. The base API url should be used when
determining the
report-uri endpoint. Otherwise, the blob URL would be used as a base,
which is invalid and the report wouldn't be sent.
Also create a helper method to concatenate two optionals of CSPList,
which was used in several places.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This was a bit confusing at first, but the report-only only
had an effect if it was used in conjunction with the regular
CSP header. This is incorrect, as the report-only header
can be present on its own.
Additionally, there was double-logic for parsing the CSP list
values, since we can only concatenate CSP lists if we have
an initial value, which requires a concrete policy value.
Therefore, abstract that way by looping over both headers and
handling the case where initially it is `None` and, if the
CSP header is not present, still `None` when we parse
the `report-only` header.
Additionally, update a WPT test. It was expecting the image
to load, yet was showing the fail image.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Also add clarifying comments to the SRI WPT tests with
regards to the `www.` domain and how that interacts with
the integrity checks.
Lastly, adjust the casing for `Strict-Dynamic`, as in
the post-request check that should also be case-insensitive.
Closesservo/servo#37200Closesservo/servo#36760Fixesservo/servo#36499
Part of w3c/webappsec-csp#727Fixesw3c/webappsec-csp#728
Part of servo/servo#4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This makes sure that when workers are created, their global scope has
the correct policy-container set
so that we can do CSP-checks.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.
Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
