diff options
| author | Tim van der Lippe <TimvdLippe@users.noreply.github.com> | 2025-04-25 21:59:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-25 19:59:44 +0000 |
| commit | baa18e18afa20f3b38c17c830feb76b05f7e64fb (patch) | |
| tree | d73a1bf7432f1226b427ef2ea2c9ff1f3acc0420 /tests/html/test_3d_transform_zsort.html | |
| parent | 4ff45f86b9af63edafd98685f9d73e8a250ff9aa (diff) | |
| download | servo-main.tar.gz servo-main.zip | |
This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.
I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.
Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.
Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.
Part of #36437
Requires servo/rust-content-security-policy#5
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Diffstat (limited to 'tests/html/test_3d_transform_zsort.html')
0 files changed, 0 insertions, 0 deletions