Skip to content

Implement base-uri CSP check #42261

Closed
#42272
Closed
Implement base-uri CSP check#42261
#42272
Assignees
WaterWhisperer
Labels
A-content/scriptRelated to the script threadA-securityC-assignedThere is someone working on resolving the issueE-less-complexStraightforward. Recommended for a new contributor.
@TimvdLippe

Description

@TimvdLippe
TimvdLippe
opened on Jan 31, 2026

Calling point:

servo/components/script/dom/html/htmlbaseelement.rs

Line 83 in e5af3ee

// running Is base allowed for Document? on urlRecord and document returns "Blocked",

Our CSP trait that needs a new method to delegate:

servo/components/script/dom/security/csp.rs

Line 34 in e5af3ee

pub(crate) trait CspReporting {

Relevant spec: https://www.w3.org/TR/CSP3/#directive-base-uri

Since the CSP code lives in a separate crate (https://github.com/rust-ammonia/rust-content-security-policy) which has the relevant implementation: https://github.com/rust-ammonia/rust-content-security-policy/blob/90a0221fa0b1834c7072da4f690326c420e9b397/src/lib.rs#L341 we need to delegate to it like we do with the other trait implementations

Testing: ./mach test-wpt /content-security-policy/base-uri

Metadata

Metadata

Assignees

Labels

A-content/scriptRelated to the script threadA-securityC-assignedThere is someone working on resolving the issueE-less-complexStraightforward. Recommended for a new contributor.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions