Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-07 14:35:33 +01:00
Code Issues Projects Releases Packages Wiki Activity
52290 commits 161 branches 5 tags 1.6 GiB
Commit graph

4 commits

Author SHA1 Message Date
Tim van der Lippe
d0de4e64d2
Add CSP check for inline style attribute (#36923) 
To be able to abort the update, extract the functionality into a
separate method. Otherwise, we don't run the `node.rev_version` at the
end, which according to the comment is probably important.

Not all `style-src` tests pass and I don't fully understand why yet, but
I presume it has to do with some special quirks of stylesheets that
other CSP checks don't have. All `style-src-attr-elem` tests pass
though.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
 2025-05-09 17:36:55 +00:00
Tim van der Lippe
dd63325f50
Check CSP for javascript: URLs (#36709) 
Also update a WPT test to fail-fast if the iframe incorrectly
evaluates the `eval`. Before, it would run into a timeout if
the implementation is correct. Now we reject the promise
when an exception is thrown.

Requires servo/rust-content-security-policy#6

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
 2025-05-02 20:13:31 +00:00
Tim van der Lippe
2a81987590
Check CSP for inline event handlers (#36510) 
This also ensures that document now reports all violations and we set
the correct directive.

With these changes, all `script-src-attr-elem` WPT tests pass.

Part of #36437 

Requires servo/rust-content-security-policy#3 to land first

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
 2025-04-17 21:11:25 +00:00
Josh Matthews
c16ca22970
Run all CSP tests in CI by default. (#36436) 
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.

Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577

Signed-off-by: Josh Matthews <josh@joshmatthews.net>
 2025-04-10 08:09:23 +00:00