Add CSP check for inline style attribute (#36923)

To be able to abort the update, extract the functionality into a
separate method. Otherwise, we don't run the `node.rev_version` at the
end, which according to the comment is probably important.

Not all `style-src` tests pass and I don't fully understand why yet, but
I presume it has to do with some special quirks of stylesheets that
other CSP checks don't have. All `style-src-attr-elem` tests pass
though.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

9 files changed, 65 insertions, 38 deletions

diff --git a/tests/wpt/meta/MANIFEST.json b/tests/wpt/meta/MANIFEST.json
index 893b07e9e3f..e62e766680d 100644
--- a/tests/wpt/meta/MANIFEST.json
+++ b/tests/wpt/meta/MANIFEST.json
@@ -571866,6 +571866,13 @@
        {}
       ]
      ],
+     "style-src-inline-style-with-csstext.html": [
+      "5e812b4aee9d0d081673a0f333f8b29187619c3d",
+      [
+       null,
+       {}
+      ]
+     ],
      "style-src-multiple-policies-multiple-hashing-algorithms.html": [
       "027c61d8c632f2387408b8fb6869dee69bb8913d",
       [
diff --git a/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html.ini b/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html.ini
deleted file mode 100644
index a5cf5faf238..00000000000
--- a/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed.html.ini
+++ /dev/null
@@ -1,7 +0,0 @@
-[style-src-attr-blocked-src-allowed.html]
-  expected: TIMEOUT
-  [Should fire a security policy violation event]
-    expected: NOTRUN
-
-  [The attribute style should not be applied]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html.ini b/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html.ini
deleted file mode 100644
index 979fc151f38..00000000000
--- a/tests/wpt/meta/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked.html.ini
+++ /dev/null
@@ -1,7 +0,0 @@
-[style-src-elem-allowed-attr-blocked.html]
-  expected: TIMEOUT
-  [Should fire a security policy violation for the attribute]
-    expected: NOTRUN
-
-  [The attribute style should not be applied and the inline style should be applied]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini b/tests/wpt/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
index 0c8111987c0..c99d7bd7844 100644
--- a/tests/wpt/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
+++ b/tests/wpt/meta/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub.html.ini
@@ -1,13 +1,36 @@
 [inline-style-allowed-while-cloning-objects.sub.html]
-  expected: TIMEOUT
-  [Test that violation report event was fired]
-    expected: NOTRUN
+  [non-HTML namespace]
+    expected: FAIL
 
-  [inline-style-allowed-while-cloning-objects 12]
+  [inline-style-allowed-while-cloning-objects 1]
     expected: FAIL
 
-  [inline-style-allowed-while-cloning-objects 14]
+  [inline-style-allowed-while-cloning-objects 3]
     expected: FAIL
 
-  [non-HTML namespace]
+  [inline-style-allowed-while-cloning-objects 5]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 7]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 8]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 9]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 10]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 11]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 17]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 18]
+    expected: FAIL
+
+  [inline-style-allowed-while-cloning-objects 19]
     expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/style-src/inline-style-attribute-blocked.sub.html.ini b/tests/wpt/meta/content-security-policy/style-src/inline-style-attribute-blocked.sub.html.ini
deleted file mode 100644
index 92f00acdffe..00000000000
--- a/tests/wpt/meta/content-security-policy/style-src/inline-style-attribute-blocked.sub.html.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-[inline-style-attribute-blocked.sub.html]
-  [Expecting logs: ["violated-directive=style-src-attr","PASS"\]]
-    expected: FAIL
diff --git a/tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini b/tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
deleted file mode 100644
index d910f28e56a..00000000000
--- a/tests/wpt/meta/content-security-policy/style-src/style-src-inline-style-attribute-blocked.html.ini
+++ /dev/null
@@ -1,7 +0,0 @@
-[style-src-inline-style-attribute-blocked.html]
-  expected: TIMEOUT
-  [Inline style attribute should not be applied without 'unsafe-inline']
-    expected: FAIL
-
-  [Should fire a securitypolicyviolation event]
-    expected: NOTRUN
diff --git a/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html.ini b/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html.ini
deleted file mode 100644
index 26dc98e8f62..00000000000
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes.html.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[style_attribute_denied_missing_unsafe_hashes.html]
-  expected: TIMEOUT
-  [Test that the inline style attribute is blocked]
-    expected: NOTRUN
diff --git a/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html.ini b/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html.ini
deleted file mode 100644
index 3031a4f6f77..00000000000
--- a/tests/wpt/meta/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[style_attribute_denied_wrong_hash.html]
-  expected: TIMEOUT
-  [Test that the inline style attribute is blocked]
-    expected: NOTRUN
diff --git a/tests/wpt/tests/content-security-policy/style-src/style-src-inline-style-with-csstext.html b/tests/wpt/tests/content-security-policy/style-src/style-src-inline-style-with-csstext.html
new file mode 100644
index 00000000000..5e812b4aee9
--- /dev/null
+++ b/tests/wpt/tests/content-security-policy/style-src/style-src-inline-style-with-csstext.html
@@ -0,0 +1,29 @@
+<!doctype html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'self';">
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+
+    <script>
+      var t = async_test("Manipulating cssText should be allowed with 'self'");
+      document.addEventListener("securitypolicyviolation", t.unreached_func("Should not trigger a security policy violation"));
+    </script>
+</head>
+<body>
+    <div id='log'></div>
+
+    <div id="content">Lorem ipsum</div>
+
+    <script>
+      t.step(function() {
+        var contentEl = document.getElementById("content");
+        contentEl.style.cssText = 'margin-left: 2px;';
+        var marginLeftVal = getComputedStyle(contentEl).getPropertyValue('margin-left');
+        assert_equals(marginLeftVal, "2px");
+        t.done();
+      });
+    </script>
+
+</body>
+</html>