diff options
| author | Tim van der Lippe <TimvdLippe@users.noreply.github.com> | 2025-04-13 22:54:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-13 20:54:59 +0000 |
| commit | 85e4a2b5c7b4d6422d29d65e9948e61c5d2b00f9 (patch) | |
| tree | c497c1b3897f68bef1ec715b8d21c6757a68a0d1 /components/script/dom/htmlscriptelement.rs | |
| parent | 5d84acc06e2cb4ee6360059aa0497c6f013acbb8 (diff) | |
| download | servo-85e4a2b5c7b4d6422d29d65e9948e61c5d2b00f9.tar.gz servo-85e4a2b5c7b4d6422d29d65e9948e61c5d2b00f9.zip | |
Update FetchTaskTarget to propagate CSP violations. (#36409)
It also updates the FetchResponseListener to process CSP violations to
ensure that iframe elements (amongst others) properly generate the CSP
events. These iframe elements are used in the Trusted Types tests
themselves and weren't propagating the violations before.
However, the tests themselves are still not passing since they also use
Websockets, which currently aren't using the fetch machinery itself.
That is fixed as part of [1].
[1]: https://github.com/servo/servo/issues/35028
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
Diffstat (limited to 'components/script/dom/htmlscriptelement.rs')
| -rw-r--r-- | components/script/dom/htmlscriptelement.rs | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/components/script/dom/htmlscriptelement.rs b/components/script/dom/htmlscriptelement.rs index 71e3d4ed72b..b1de1f41b16 100644 --- a/components/script/dom/htmlscriptelement.rs +++ b/components/script/dom/htmlscriptelement.rs @@ -21,6 +21,7 @@ use ipc_channel::ipc; use js::jsval::UndefinedValue; use js::rust::{CompileOptionsWrapper, HandleObject, Stencil, transform_str_to_source_text}; use net_traits::http_status::HttpStatus; +use net_traits::policy_container::PolicyContainer; use net_traits::request::{ CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata, RequestBuilder, RequestId, @@ -536,6 +537,11 @@ impl FetchResponseListener for ClassicContext { fn submit_resource_timing(&mut self) { network_listener::submit_timing(self, CanGc::note()) } + + fn process_csp_violations(&mut self, _request_id: RequestId, violations: Vec<csp::Violation>) { + let global = &self.resource_timing_global(); + global.report_csp_violations(violations); + } } impl ResourceTimingListener for ClassicContext { @@ -569,6 +575,7 @@ pub(crate) fn script_fetch_request( options: ScriptFetchOptions, insecure_requests_policy: InsecureRequestsPolicy, has_trustworthy_ancestor_origin: bool, + policy_container: PolicyContainer, ) -> RequestBuilder { // We intentionally ignore options' credentials_mode member for classic scripts. // The mode is initialized by create_a_potential_cors_request. @@ -581,6 +588,7 @@ pub(crate) fn script_fetch_request( options.referrer, insecure_requests_policy, has_trustworthy_ancestor_origin, + policy_container, ) .origin(origin) .pipeline_id(Some(pipeline_id)) @@ -601,15 +609,17 @@ fn fetch_a_classic_script( ) { // Step 1, 2. let doc = script.owner_document(); + let global = script.global(); let request = script_fetch_request( doc.webview_id(), url.clone(), cors_setting, doc.origin().immutable().clone(), - script.global().pipeline_id(), + global.pipeline_id(), options.clone(), doc.insecure_requests_policy(), doc.has_trustworthy_ancestor_origin(), + global.policy_container(), ); let request = doc.prepare_request(request); |