diff options
| author | bors-servo <lbergstrom+bors@mozilla.com> | 2019-10-17 10:44:00 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-17 10:44:00 -0400 |
| commit | 58c61d3aed273f29d0b19d80b194dc384ce147f0 (patch) | |
| tree | d647f56aa041267fbf52c40bca02b11d89e49b1a /components/script/dom/htmlscriptelement.rs | |
| parent | d8f2f2ef0e7354afecd0f3fc398629013480bafb (diff) | |
| parent | b8f3e8bb2e9bed269a06134c902a139cfa42eb1c (diff) | |
| download | servo-58c61d3aed273f29d0b19d80b194dc384ce147f0.tar.gz servo-58c61d3aed273f29d0b19d80b194dc384ce147f0.zip | |
Auto merge of #24315 - notriddle:GH-4577, r=nox
Add simple implementation of content-security-policy on network requests
This needs a lot more hooks before it'll actually be a good implementation, but for a start it can help get some feedback on if this is the right way to go about it.
Part of servo/servo#4577 but we should probably track the rest of the implementation somewhere.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] There are tests for these changes (before merging, this PR should fix at least some of the WPT tests for CSP)
<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/24315)
<!-- Reviewable:end -->
Diffstat (limited to 'components/script/dom/htmlscriptelement.rs')
| -rw-r--r-- | components/script/dom/htmlscriptelement.rs | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/components/script/dom/htmlscriptelement.rs b/components/script/dom/htmlscriptelement.rs index 1bd0101c03d..dfac55a6f66 100644 --- a/components/script/dom/htmlscriptelement.rs +++ b/components/script/dom/htmlscriptelement.rs @@ -27,6 +27,7 @@ use crate::dom::performanceresourcetiming::InitiatorType; use crate::dom::virtualmethods::VirtualMethods; use crate::fetch::create_a_potential_CORS_request; use crate::network_listener::{self, NetworkListener, PreInvoke, ResourceTimingListener}; +use content_security_policy as csp; use dom_struct::dom_struct; use encoding_rs::Encoding; use html5ever::{LocalName, Prefix}; @@ -428,7 +429,16 @@ impl HTMLScriptElement { // TODO: Step 12: nomodule content attribute - // TODO(#4577): Step 13: CSP. + // Step 13. + if !element.has_attribute(&local_name!("src")) && + doc.should_elements_inline_type_behavior_be_blocked( + &element, + csp::InlineCheckType::Script, + &text, + ) == csp::CheckResult::Blocked + { + return; + } // Step 14. let for_attribute = element.get_attribute(&ns!(), &local_name!("for")); |