LibWeb/CSP: Implement the script-src directive

Author: https://github.com/Lubrsi Commit: https://github.com/LadybirdBrowser/ladybird/commit/0cff47828d4 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5328 Reviewed-by: https://github.com/ADKaster ✅
2026-05-01 12:07:14 +02:00 · 2024-12-02 16:01:19 +00:00 · 2025-07-09 21:53:59 +00:00
parent 3d43462ccd
commit 0cff47828d
17 changed files with 839 additions and 14 deletions
--- a/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLScriptElement.cpp
@@ -10,6 +10,7 @@
 #include <LibTextCodec/Decoder.h>
 #include <LibWeb/Bindings/HTMLScriptElementPrototype.h>
 #include <LibWeb/Bindings/Intrinsics.h>
+#include <LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h>
 #include <LibWeb/DOM/Document.h>
 #include <LibWeb/DOM/Event.h>
 #include <LibWeb/DOM/ShadowRoot.h>
@@ -274,8 +275,13 @@ void HTMLScriptElement::prepare_script()
        return;
    }

-    // FIXME: 19. If el does not have a src content attribute, and the Should element's inline behavior be blocked by Content Security Policy?
-    //            algorithm returns "Blocked" when given el, "script", and source text, then return. [CSP]
+    // 19. If el does not have a src content attribute, and the Should element's inline behavior be blocked by Content Security Policy?
+    //     algorithm returns "Blocked" when given el, "script", and source text, then return. [CSP]
+    if (!has_attribute(AttributeNames::src)
+        && ContentSecurityPolicy::should_elements_inline_type_behavior_be_blocked_by_content_security_policy(realm(), *this, ContentSecurityPolicy::Directives::Directive::InlineType::Script, source_text) == ContentSecurityPolicy::Directives::Directive::Result::Blocked) {
+        dbgln("HTMLScriptElement: Refusing to run inline script because it violates the Content Security Policy.");
+        return;
+    }

    // 20. If el has an event attribute and a for attribute, and el's type is "classic", then:
    if (m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::event) && has_attribute(HTML::AttributeNames::for_)) {
@@ -325,7 +331,8 @@ void HTMLScriptElement::prepare_script()
    // 23. Let module script credentials mode be the CORS settings attribute credentials mode for el's crossorigin content attribute.
    auto module_script_credential_mode = cors_settings_attribute_credentials_mode(m_crossorigin);

-    // FIXME: 24. Let cryptographic nonce be el's [[CryptographicNonce]] internal slot's value.
+    // 24. Let cryptographic nonce be el's [[CryptographicNonce]] internal slot's value.
+    auto cryptographic_nonce = m_cryptographic_nonce;

    // 25. If el has an integrity attribute, then let integrity metadata be that attribute's value.
    //     Otherwise, let integrity metadata be the empty string.
@@ -350,7 +357,7 @@ void HTMLScriptElement::prepare_script()
    //     credentials mode is module script credentials mode, referrer policy is referrer policy,
    //     and fetch priority is fetch priority.
    ScriptFetchOptions options {
-        .cryptographic_nonce = {}, // FIXME
+        .cryptographic_nonce = move(cryptographic_nonce),
        .integrity_metadata = move(integrity_metadata),
        .parser_metadata = parser_metadata,
        .credentials_mode = module_script_credential_mode,