Auto merge of #24315 - notriddle:GH-4577, r=nox

Add simple implementation of content-security-policy on network requests

This needs a lot more hooks before it'll actually be a good implementation, but for a start it can help get some feedback on if this is the right way to go about it.

Part of servo/servo#4577 but we should probably track the rest of the implementation somewhere.

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] There are tests for these changes (before merging, this PR should fix at least some of the WPT tests for CSP)

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/24315)
<!-- Reviewable:end -->

1 files changed, 28 insertions, 0 deletions

diff --git a/components/script/dom/servoparser/mod.rs b/components/script/dom/servoparser/mod.rs
index a05dea2a66d..91b5c9bfce6 100644
--- a/components/script/dom/servoparser/mod.rs
+++ b/components/script/dom/servoparser/mod.rs
@@ -35,6 +35,7 @@ use crate::dom::text::Text;
 use crate::dom::virtualmethods::vtable_for;
 use crate::network_listener::PreInvoke;
 use crate::script_thread::ScriptThread;
+use content_security_policy::{self as csp, CspList};
 use dom_struct::dom_struct;
 use embedder_traits::resources::{self, Resource};
 use encoding_rs::Encoding;
@@ -736,6 +737,31 @@ impl FetchResponseListener for ParserContext {
             .and_then(|meta| meta.content_type)
             .map(Serde::into_inner)
             .map(Into::into);
+
+        // https://www.w3.org/TR/CSP/#initialize-document-csp
+        // TODO: Implement step 1 (local scheme special case)
+        let csp_list = metadata.as_ref().and_then(|m| {
+            let h = m.headers.as_ref()?;
+            let mut csp = h.get_all("content-security-policy").iter();
+            // This silently ignores the CSP if it contains invalid Unicode.
+            // We should probably report an error somewhere.
+            let c = csp.next().and_then(|c| c.to_str().ok())?;
+            let mut csp_list = CspList::parse(
+                c,
+                csp::PolicySource::Header,
+                csp::PolicyDisposition::Enforce,
+            );
+            for c in csp {
+                let c = c.to_str().ok()?;
+                csp_list.append(CspList::parse(
+                    c,
+                    csp::PolicySource::Header,
+                    csp::PolicyDisposition::Enforce,
+                ));
+            }
+            Some(csp_list)
+        });
+
         let parser = match ScriptThread::page_headers_available(&self.id, metadata) {
             Some(parser) => parser,
             None => return,
@@ -744,6 +770,8 @@ impl FetchResponseListener for ParserContext {
             return;
         }
 
+        parser.document.set_csp_list(csp_list);
+
         self.parser = Some(Trusted::new(&*parser));
 
         match content_type {