From 6bb087e3818040fdf2342eda80da2179fc95986e Mon Sep 17 00:00:00 2001
From: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Date: Mon, 21 Apr 2025 08:56:40 +0200
Subject: Implement trusted types url setter (#36596)

We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.

The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).

The other trusted types support (createScript and createHTML) will also
be implemented separately.

Part of #36258

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
---
 components/script/security_manager.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'components/script/security_manager.rs')

diff --git a/components/script/security_manager.rs b/components/script/security_manager.rs
index 60cf2267a2c..ee320206de2 100644
--- a/components/script/security_manager.rs
+++ b/components/script/security_manager.rs
@@ -62,6 +62,8 @@ pub(crate) struct CSPViolationReportBuilder {
     pub source_file: String,
     /// <https://www.w3.org/TR/CSP3/#violation-effective-directive>
     pub effective_directive: String,
+    /// <https://www.w3.org/TR/CSP3/#violation-policy>
+    pub original_policy: String,
 }
 
 impl CSPViolationReportBuilder {
@@ -106,6 +108,12 @@ impl CSPViolationReportBuilder {
         self
     }
 
+    /// <https://www.w3.org/TR/CSP3/#violation-policy>
+    pub fn original_policy(mut self, original_policy: String) -> CSPViolationReportBuilder {
+        self.original_policy = original_policy;
+        self
+    }
+
     /// <https://w3c.github.io/webappsec-csp/#strip-url-for-use-in-reports>
     fn strip_url_for_reports(&self, mut url: ServoUrl) -> String {
         let scheme = url.scheme();
@@ -141,7 +149,7 @@ impl CSPViolationReportBuilder {
             sample: self.sample,
             blocked_url: self.resource,
             source_file: self.source_file,
-            original_policy: "".to_owned(),
+            original_policy: self.original_policy,
             line_number: self.line_number,
             column_number: self.column_number,
             status_code: global.status_code().unwrap_or(0),
-- 
cgit v1.2.3