diff options
| author | Tim van der Lippe <TimvdLippe@users.noreply.github.com> | 2025-05-06 20:52:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-06 18:52:27 +0000 |
| commit | e9f364ef51b067192c67c9aaab936151fa577ed5 (patch) | |
| tree | 51b55cc2b65910648a9fd4b5917fd134a45c61c4 /components/script/dom | |
| parent | d73b7653b477e80533fd16ef5c12697e411b73c8 (diff) | |
| download | servo-e9f364ef51b067192c67c9aaab936151fa577ed5.tar.gz servo-e9f364ef51b067192c67c9aaab936151fa577ed5.zip | |
Implement inline CSP check for style element (#36860)
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Diffstat (limited to 'components/script/dom')
| -rw-r--r-- | components/script/dom/document.rs | 10 | ||||
| -rw-r--r-- | components/script/dom/htmlstyleelement.rs | 16 |
2 files changed, 20 insertions, 6 deletions
diff --git a/components/script/dom/document.rs b/components/script/dom/document.rs index ae48fa1fb2f..e3590461604 100644 --- a/components/script/dom/document.rs +++ b/components/script/dom/document.rs @@ -4307,16 +4307,16 @@ impl Document { type_: csp::InlineCheckType, source: &str, ) -> csp::CheckResult { - let element = csp::Element { - nonce: el - .get_attribute(&ns!(), &local_name!("nonce")) - .map(|attr| Cow::Owned(attr.value().to_string())), - }; let (result, violations) = match self.get_csp_list() { None => { return csp::CheckResult::Allowed; }, Some(csp_list) => { + let element = csp::Element { + nonce: el + .get_attribute(&ns!(), &local_name!("nonce")) + .map(|attr| Cow::Owned(attr.value().to_string())), + }; csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source) }, }; diff --git a/components/script/dom/htmlstyleelement.rs b/components/script/dom/htmlstyleelement.rs index 0deb507f283..194b81729fb 100644 --- a/components/script/dom/htmlstyleelement.rs +++ b/components/script/dom/htmlstyleelement.rs @@ -4,6 +4,7 @@ use std::cell::Cell; +use content_security_policy as csp; use dom_struct::dom_struct; use html5ever::{LocalName, Prefix}; use js::rust::HandleObject; @@ -97,8 +98,21 @@ impl HTMLStyleElement { return; } - let window = node.owner_window(); let doc = self.owner_document(); + + // Step 5: If the Should element's inline behavior be blocked by Content Security Policy? algorithm + // returns "Blocked" when executed upon the style element, "style", + // and the style element's child text content, then return. [CSP] + if doc.should_elements_inline_type_behavior_be_blocked( + self.upcast(), + csp::InlineCheckType::Style, + &node.child_text_content(), + ) == csp::CheckResult::Blocked + { + return; + } + + let window = node.owner_window(); let data = node .GetTextContent() .expect("Element.textContent must be a string"); |