5 files changed, 42 insertions, 16 deletions

diff --git a/components/script/dom/document.rs b/components/script/dom/document.rs
index b775bdd4582..0d39a12c15e 100644
--- a/components/script/dom/document.rs
+++ b/components/script/dom/document.rs
@@ -4017,13 +4017,18 @@ impl Document {
                 .get_attribute(&ns!(), &local_name!("nonce"))
                 .map(|attr| Cow::Owned(attr.value().to_string())),
         };
-        // TODO: Instead of ignoring violations, report them.
-        self.get_csp_list()
-            .map(|c| {
-                c.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
-                    .0
-            })
-            .unwrap_or(csp::CheckResult::Allowed)
+        let (result, violations) = match self.get_csp_list() {
+            None => {
+                return csp::CheckResult::Allowed;
+            },
+            Some(csp_list) => {
+                csp_list.should_elements_inline_type_behavior_be_blocked(&element, type_, source)
+            },
+        };
+
+        self.global().report_csp_violations(violations);
+
+        result
     }
 
     /// Prevent any JS or layout from running until the corresponding call to
diff --git a/components/script/dom/eventtarget.rs b/components/script/dom/eventtarget.rs
index ea76bbf2a8b..1a5aafb0ae7 100644
--- a/components/script/dom/eventtarget.rs
+++ b/components/script/dom/eventtarget.rs
@@ -11,6 +11,7 @@ use std::mem;
 use std::ops::{Deref, DerefMut};
 use std::rc::Rc;
 
+use content_security_policy as csp;
 use deny_public_fields::DenyPublicFields;
 use dom_struct::dom_struct;
 use fnv::FnvHasher;
@@ -551,9 +552,25 @@ impl EventTarget {
         url: ServoUrl,
         line: usize,
         ty: &str,
-        source: DOMString,
+        source: &str,
     ) {
-        let handler = InternalRawUncompiledHandler { source, line, url };
+        if let Some(element) = self.downcast::<Element>() {
+            let doc = element.owner_document();
+            if doc.should_elements_inline_type_behavior_be_blocked(
+                element.upcast(),
+                csp::InlineCheckType::ScriptAttribute,
+                source,
+            ) == csp::CheckResult::Blocked
+            {
+                return;
+            }
+        };
+
+        let handler = InternalRawUncompiledHandler {
+            source: DOMString::from(source),
+            line,
+            url,
+        };
         self.set_inline_event_listener(
             Atom::from(ty),
             Some(InlineEventListener::Uncompiled(handler)),
diff --git a/components/script/dom/globalscope.rs b/components/script/dom/globalscope.rs
index e56f4693e35..2582291ed87 100644
--- a/components/script/dom/globalscope.rs
+++ b/components/script/dom/globalscope.rs
@@ -3450,12 +3450,15 @@ impl GlobalScope {
 
     pub(crate) fn report_csp_violations(&self, violations: Vec<Violation>) {
         for violation in violations {
-            let sample = match violation.resource {
-                ViolationResource::Inline { .. } | ViolationResource::Url(_) => None,
-                ViolationResource::TrustedTypePolicy { sample } => Some(sample),
+            let (sample, resource) = match violation.resource {
+                ViolationResource::Inline { .. } => (None, "inline".to_owned()),
+                ViolationResource::Url(url) => (None, url.into()),
+                ViolationResource::TrustedTypePolicy { sample } => {
+                    (Some(sample), "trusted-types-policy".to_owned())
+                },
             };
             let report = CSPViolationReportBuilder::default()
-                .resource("eval".to_owned())
+                .resource(resource)
                 .sample(sample)
                 .effective_directive(violation.directive.name)
                 .build(self);
diff --git a/components/script/dom/htmlbodyelement.rs b/components/script/dom/htmlbodyelement.rs
index ba3316f889b..5cd877cdf82 100644
--- a/components/script/dom/htmlbodyelement.rs
+++ b/components/script/dom/htmlbodyelement.rs
@@ -201,13 +201,14 @@ impl VirtualMethods for HTMLBodyElement {
                     &local_name!("onresize") |
                     &local_name!("onunload") |
                     &local_name!("onerror") => {
+                        let source = &**attr.value();
                         let evtarget = window.upcast::<EventTarget>(); // forwarded event
                         let source_line = 1; //TODO(#9604) obtain current JS execution line
                         evtarget.set_event_handler_uncompiled(
                             window.get_url(),
                             source_line,
                             &name[2..],
-                            DOMString::from((**attr.value()).to_owned()),
+                            source,
                         );
                         false
                     },
diff --git a/components/script/dom/htmlelement.rs b/components/script/dom/htmlelement.rs
index 14c85603740..0cdfebf5342 100644
--- a/components/script/dom/htmlelement.rs
+++ b/components/script/dom/htmlelement.rs
@@ -1084,14 +1084,14 @@ impl VirtualMethods for HTMLElement {
         let element = self.as_element();
         match (attr.local_name(), mutation) {
             (name, AttributeMutation::Set(_)) if name.starts_with("on") => {
+                let source = &**attr.value();
                 let evtarget = self.upcast::<EventTarget>();
                 let source_line = 1; //TODO(#9604) get current JS execution line
                 evtarget.set_event_handler_uncompiled(
                     self.owner_window().get_url(),
                     source_line,
                     &name[2..],
-                    // FIXME(ajeffrey): Convert directly from AttrValue to DOMString
-                    DOMString::from(&**attr.value()),
+                    source,
                 );
             },
             (&local_name!("form"), mutation) if self.is_form_associated_custom_element() => {