Skip to content
Permalink
Browse files
Fire error event when CSP blocks inline stylesheets
https://bugs.webkit.org/show_bug.cgi?id=246710
rdar://101308540

Reviewed by Chris Dumez.

When we block inline style with CSP we don't fire an error event. This change will cause the element
to fire an error event when CSP blocks us from creating a stylesheet.

* LayoutTests/TestExpectations:

* LayoutTests/http/tests/security/contentSecurityPolicy/style-src-blocked-error-event-expected.txt: Removed.
* LayoutTests/http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html: Removed.
    This test is redundant to
    imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.html
    and any other tests which block style but allow unsafe-inline.

* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt:
* Source/WebCore/dom/InlineStyleSheetOwner.cpp:
(WebCore::InlineStyleSheetOwner::createSheet):

Canonical link: https://commits.webkit.org/255744@main
  • Loading branch information
rreno committed Oct 19, 2022
1 parent bda70c0 commit d487138f2ba5c2b351635d4df8942b9f4d8577ce
Show file tree
Hide file tree
Showing 6 changed files with 5 additions and 44 deletions.
@@ -1108,8 +1108,6 @@ imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-bl
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html [ Skip ]
webkit.org/b/246442 imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-service-worker.https.html [ Skip ]
@@ -2504,7 +2502,6 @@ webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-basi
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylenonce-basic-blocked-error-event.html
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylenonce-svg-style-basic-blocked-error-event.html
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]

This file was deleted.

This file was deleted.

@@ -1,9 +1,4 @@
CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/style-src/resources/style-src.css because it does not appear in the style-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load http://localhost:8800/content-security-policy/style-src/resources/style-src.css because it does not appear in the style-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

Harness Error (TIMEOUT), message = null

PASS Test error event fires on stylesheet link
NOTRUN Test error event fires on inline style
PASS Test error event fires on inline style
Lorem ipsum
@@ -1,7 +1,4 @@
CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

Harness Error (TIMEOUT), message = null

PASS Should fire a securitypolicyviolation event
NOTRUN Test that paragraph remains unmodified and error events received.
PASS Test that paragraph remains unmodified and error events received.
Lorem ipsum
@@ -170,8 +170,10 @@ void InlineStyleSheetOwner::createSheet(Element& element, const String& text)

ASSERT(document.contentSecurityPolicy());
const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy();
if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, element, element.nonce(), element.isInUserAgentShadowTree()))
if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, element, element.nonce(), element.isInUserAgentShadowTree())) {
element.notifyLoadedSheetAndAllCriticalSubresources(true);
return;
}

auto mediaQueries = MediaQuerySet::create(m_media, MediaQueryParserContext(document));

0 comments on commit d487138

Please sign in to comment.