mirror of
https://github.com/servo/servo
synced 2026-05-13 10:27:03 +02:00
194875ee35
Previously, when window.open() was called with a javascript: URL, the script would execute unconditionally without any CSP enforcement. The CSP list was not propagated from the opener to the newly opened document. This commit fixes two issues: 1. Propagate CSP from opener to new document The CSP list from the existing (opener) document is now copied to the target document before navigation, ensuring CSP policies are enforced. 2. Report CSP violations to the correct window Per the CSP spec, violations should be reported to the navigation request's client (the opener window), not the target window. To achieve this, we check CSP early in window.open() while both windows are accessible, before entering the normal navigation flow where only the target window is available. Testing: new wpt successes: - `content-security-policy/script-src/javascript-window-open-blocked.html` - `content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html` - `content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html` Fixes: part of #36437 Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
155 KiB
155 KiB