eliott/servo
1
0
Fork 0
mirror of https://github.com/servo/servo synced 2026-05-10 17:12:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
55,019 Commits 151 Branches 8 Tags
295e019d00a8543ae356cdcb7da2ff9ac0eff72b
Commit Graph

5 Commits

Author SHA1 Message Date
dyegoaurelio
453166752b Fix CSP nonce validation and violation reporting for external scripts (#40956) 
This PR fixes two related issues with Content Security Policy (CSP)
nonce validation for external scripts:

1. Missing nonce validation for external scripts with malformed
attributes
2. Incorrect violation event reporting for blocked external resources


This makes servo closer to passing the `nonce-enforce-blocked` wpt test.

The remaining failures are blocked by required changes in the html
parser.

1. Svg script support (https://github.com/servo/html5ever/issues/118)
```html
<svg xmlns="http://www.w3.org/2000/svg">
<script attribute attribute nonce="abc">
    t.unreached_func("Duplicate attribute in SVG, no execution.")();
</script>
</svg>
```

2. Duplicate attrs check
the html parser needs to provide this flag, as mentioned on the original
commit message
(4821bc0ab0)

```html
<script attribute attribute nonce="abc">
    t.unreached_func("Duplicate attribute, no execution.")();
</script>
<script attribute attribute=<style nonce="abc">
    t.unreached_func("2# Duplicate attribute, no execution.")();
</script>

[...]

<script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script>
```

I've also created a PR to implement the duplicate attrs flag on
html5ever https://github.com/servo/html5ever/pull/695

Testing: doesn't fixes the aforementioned wpt test yet.
Fixes: part of #36437

---------

Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
 2026-02-27 13:17:33 +00:00
WaterWhisperer
f405ddeaf7 script: Implement base-uri CSP check (#42272) 
Testing: `./mach test-wpt /content-security-policy/base-uri`
Fixes: #42261

Signed-off-by: WaterWhisperer <waterwhisperer24@qq.com>
 2026-02-01 17:03:23 +00:00
Josh Matthews
a97a345d6e script: Check same-origin-domain when evaluating javscript: URLs. (#41969) 
These changes introduce a new OriginSnapshot type, which is an immutable
version of MutableOrigin (ie. an origin that includes an optional domain
modifier). This is now propagated as part of LoadData's origin, allowing
us to perform the same-origin-domain check for javascript: URLs as
needed.

Testing: Newly-passing tests.

Signed-off-by: Josh Matthews <josh@joshmatthews.net>
 2026-01-18 02:32:51 +00:00
Anonmiraj
b207be05d9 change some allows to expects (#41040) 
Changed some allow to expects and removed the unfulfilled expectations.

Testing: Refactor
Part of: #40383

Signed-off-by: anonmiraj <nabilmalek48@gmail.com>
 2025-12-05 07:23:32 +00:00
dyegoaurelio
ab5fbad90c script: Move CSP DOM interfaces to script/dom/security (#40843) 
*Describe the changes that this pull request makes here. This will be
the commit message.*
Move CSP DOM interfaces to `script/dom/security`


Testing: Just a refactor, it doesn't require tests
Fixes: part of #38901

Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
 2025-11-24 11:48:06 +00:00