diff options
| author | Tim van der Lippe <TimvdLippe@users.noreply.github.com> | 2025-04-21 08:56:40 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-21 06:56:40 +0000 |
| commit | 6bb087e3818040fdf2342eda80da2179fc95986e (patch) | |
| tree | ee9cc661c1ee75facaa76526609291606a1e7249 /components/script/security_manager.rs | |
| parent | fee2ea34afe8bad593d43fdbdb2a29be1352826c (diff) | |
| download | servo-6bb087e3818040fdf2342eda80da2179fc95986e.tar.gz servo-6bb087e3818040fdf2342eda80da2179fc95986e.zip | |
Implement trusted types url setter (#36596)
We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.
The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).
The other trusted types support (createScript and createHTML) will also
be implemented separately.
Part of #36258
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
Diffstat (limited to 'components/script/security_manager.rs')
| -rw-r--r-- | components/script/security_manager.rs | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/components/script/security_manager.rs b/components/script/security_manager.rs index 60cf2267a2c..ee320206de2 100644 --- a/components/script/security_manager.rs +++ b/components/script/security_manager.rs @@ -62,6 +62,8 @@ pub(crate) struct CSPViolationReportBuilder { pub source_file: String, /// <https://www.w3.org/TR/CSP3/#violation-effective-directive> pub effective_directive: String, + /// <https://www.w3.org/TR/CSP3/#violation-policy> + pub original_policy: String, } impl CSPViolationReportBuilder { @@ -106,6 +108,12 @@ impl CSPViolationReportBuilder { self } + /// <https://www.w3.org/TR/CSP3/#violation-policy> + pub fn original_policy(mut self, original_policy: String) -> CSPViolationReportBuilder { + self.original_policy = original_policy; + self + } + /// <https://w3c.github.io/webappsec-csp/#strip-url-for-use-in-reports> fn strip_url_for_reports(&self, mut url: ServoUrl) -> String { let scheme = url.scheme(); @@ -141,7 +149,7 @@ impl CSPViolationReportBuilder { sample: self.sample, blocked_url: self.resource, source_file: self.source_file, - original_policy: "".to_owned(), + original_policy: self.original_policy, line_number: self.line_number, column_number: self.column_number, status_code: global.status_code().unwrap_or(0), |