CSP: Fix script-src-elem policies in workers

https://bugs.webkit.org/show_bug.cgi?id=239840

Reviewed by Kate Cheney.

Source/WebCore:

Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):

LayoutTests:

CSP: Fix script-src-elem policies in workers

* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html: Added.

Canonical link: https://commits.webkit.org/250386@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293940 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2022-05-06  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Fix script-src-elem policies in workers
+        https://bugs.webkit.org/show_bug.cgi?id=239840
+
+        Reviewed by Kate Cheney.
+
+        CSP: Fix script-src-elem policies in workers
+
+        * http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html: Added.
+
 2022-05-06  Karl Rackler  <rackler@apple.com>
 
         [Gardening] REGRESSION (r293117): [ iOS ] fast/innerHTML/001.html is a flaky image failure

LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem-expected.txt

@@ -0,0 +1,2 @@
+ALERT: importScripts allowed
+

LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+<script>
+try {
+    var worker = new Worker('http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker.py?type=importscripts&csp=' +
+                            encodeURIComponent("script-src 'strict-dynamic'; script-src-elem localhost:8000"));
+    worker.onmessage = function (event) {
+        alert(event.data);
+        if (window.testRunner)
+            testRunner.notifyDone();
+    };
+} catch (e) {
+    alert(e);
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+</body>
+</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,15 @@
+2022-05-06  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Fix script-src-elem policies in workers
+        https://bugs.webkit.org/show_bug.cgi?id=239840
+
+        Reviewed by Kate Cheney.
+
+        Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
+
 2022-05-06  Tim Nguyen  <ntim@apple.com>
 
         Use dynamicDowncast in getPathFromPathOperation()

Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -408,7 +408,7 @@ const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violat
 
 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const String& nonce) const
 {
-    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
+    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
 
     if (!operativeDirective
         || operativeDirective->containsAllHashes(subResourceIntegrityDigests)