OSSForks/ladybird
1
0
Fork 0
mirror of https://github.com/zebrajr/ladybird.git synced 2025-12-06 00:19:53 +01:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

LibWeb/CSP: Update invalid sample assertion in violation reporting

Browse Source 
Asserting that a sample is not provided if the resource is not Inline
is not quite valid, since Eval, TrustedTypesSink and TrustedTypesPolicy
also provide a sample.

Spec issue: https://github.com/w3c/webappsec-csp/issues/788
This commit is contained in:
Luke Wilde 2025-10-29 15:52:22 +00:00 committed by Andreas Kling
parent 2492c07430
commit 35c6d52d7d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp
View File

@ -239,7 +239,9 @@ ByteBuffer Violation::obtain_the_deprecated_serialization(JS::Realm& realm) cons
// 3. Assert: If body["blocked-uri"] is not "inline", then body["sample"] is the empty string.
// FIXME: File spec issue that body["sample"] should be body["script-sample"]
if (m_resource.has<Resource>() && m_resource.get<Resource>() != Resource::Inline) {
// FIXME: This is not a valid assertion, since Eval, TrustedTypesSink and TrustedTypesPolicy provide a sample. https://github.com/w3c/webappsec-csp/issues/788
if (auto* maybe_resource = m_resource.get_pointer<Resource>();
!maybe_resource || (*maybe_resource != Resource::Inline && *maybe_resource != Resource::Eval && *maybe_resource != Resource::TrustedTypesSink && *maybe_resource != Resource::TrustedTypesPolicy)) {
VERIFY(m_sample.is_empty());
}