This was a bit confusing at first, but the report-only only
had an effect if it was used in conjunction with the regular
CSP header. This is incorrect, as the report-only header
can be present on its own.
Additionally, there was double-logic for parsing the CSP list
values, since we can only concatenate CSP lists if we have
an initial value, which requires a concrete policy value.
Therefore, abstract that way by looping over both headers and
handling the case where initially it is `None` and, if the
CSP header is not present, still `None` when we parse
the `report-only` header.
Additionally, update a WPT test. It was expecting the image
to load, yet was showing the fail image.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The scripted_caller only has information if the context is coming
from a script. If an element fetch listener processes CSP
violations, then this information doesn't exist. Instead, we should
use the global URL and the line number. WPT tests don't appear
to expect a column number, as they are all zero. Not all elements
are updated, as I am not actually sure all of them need it.
The source position remains an Option, since there are also code
paths that don't correspond to element or script sources. Maybe
in the future we can always determine the source position, but
let's take small steps towards that.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
Does not yet handle failures of endpoints, which requires us to update
metadata. I don't see that metadata being used anywhere, so I am not
sure if there is WPT coverage for it.
Part of #37238
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This also ensures that document now reports all violations and we set
the correct directive.
With these changes, all `script-src-attr-elem` WPT tests pass.
Part of #36437
Requires servo/rust-content-security-policy#3 to land first
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
It also updates the FetchResponseListener to process CSP violations to
ensure that iframe elements (amongst others) properly generate the CSP
events. These iframe elements are used in the Trusted Types tests
themselves and weren't propagating the violations before.
However, the tests themselves are still not passing since they also use
Websockets, which currently aren't using the fetch machinery itself.
That is fixed as part of [1].
[1]: https://github.com/servo/servo/issues/35028
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.
Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
