From 35c6d52d7df251555ed006091b680a2299f6390e Mon Sep 17 00:00:00 2001 From: Luke Wilde Date: Wed, 29 Oct 2025 15:52:22 +0000 Subject: [PATCH] LibWeb/CSP: Update invalid sample assertion in violation reporting Asserting that a sample is not provided if the resource is not Inline is not quite valid, since Eval, TrustedTypesSink and TrustedTypesPolicy also provide a sample. Spec issue: https://github.com/w3c/webappsec-csp/issues/788 --- Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp b/Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp index 6e4a308680..e0af609811 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp +++ b/Libraries/LibWeb/ContentSecurityPolicy/Violation.cpp @@ -239,7 +239,9 @@ ByteBuffer Violation::obtain_the_deprecated_serialization(JS::Realm& realm) cons // 3. Assert: If body["blocked-uri"] is not "inline", then body["sample"] is the empty string. // FIXME: File spec issue that body["sample"] should be body["script-sample"] - if (m_resource.has() && m_resource.get() != Resource::Inline) { + // FIXME: This is not a valid assertion, since Eval, TrustedTypesSink and TrustedTypesPolicy provide a sample. https://github.com/w3c/webappsec-csp/issues/788 + if (auto* maybe_resource = m_resource.get_pointer(); + !maybe_resource || (*maybe_resource != Resource::Inline && *maybe_resource != Resource::Eval && *maybe_resource != Resource::TrustedTypesSink && *maybe_resource != Resource::TrustedTypesPolicy)) { VERIFY(m_sample.is_empty()); }