servo

Mirrors/servo

Fork 0

mirror of https://github.com/servo/servo.git synced 2025-08-09 15:35:34 +01:00

Commit graph

Author	SHA1	Message	Date
Tim van der Lippe	baa18e18af	Support CSP report-only header (#36623 ) This turned out to be a full rabbit hole. The new header is parsed in the new `parse_csp_list_from_metadata` which sets `disposition` to `report. I was testing this with `script-src-report-only-policy-works-with-external-hash-policy.html` which was blocking the script incorrectly. Turns out that there were multiple bugs in the CSP library, as well as a missing check in `fetch` to report violations. Additionally, in several locations we were manually reporting csp violations, instead of the new `global.report_csp_violations`. As a result of that, they would double report, since the report-only header would be appended as a policy and now would report twice. Now, all callsides use `global.report_csp_violations`. As a nice side-effect, I added the code to set source file information, since that was already present for the `eval` check, but nowhere else. Part of #36437 Requires servo/rust-content-security-policy#5 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>	2025-04-25 19:59:44 +00:00
Josh Matthews	c16ca22970	Run all CSP tests in CI by default. (#36436 ) Extending the original set from #36402 since there are additional tests relevant to the work happening in #36409 and #36363. Testing: New tests in CI. Fixes: Part of https://github.com/servo/servo/issues/4577 Signed-off-by: Josh Matthews <josh@joshmatthews.net>	2025-04-10 08:09:23 +00:00

Author

SHA1

Message

Date

Tim van der Lippe

baa18e18af

Support CSP report-only header (#36623 )

This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.

I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.

Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.

Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.

Part of #36437

Requires servo/rust-content-security-policy#5

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>

2025-04-25 19:59:44 +00:00

Josh Matthews

c16ca22970

Run all CSP tests in CI by default. (#36436 )

Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.

Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577

Signed-off-by: Josh Matthews <josh@joshmatthews.net>

2025-04-10 08:09:23 +00:00

2 commits