Add duplicate attribute tracking for CSP nonce validation#695
Merged
TimvdLippe merged 2 commits intoservo:mainfrom Mar 13, 2026
Merged
Add duplicate attribute tracking for CSP nonce validation#695TimvdLippe merged 2 commits intoservo:mainfrom
TimvdLippe merged 2 commits intoservo:mainfrom
Conversation
dyegoaurelio
changed the title
dyegoaurelio
force-pushed
the
duplicate-attr-flag
branch
from
0773845 to
cec02c3
Compare
github-merge-queue bot
pushed a commit
to servo/servo
that referenced
this pull request
Feb 27, 2026
…#40956) This PR fixes two related issues with Content Security Policy (CSP) nonce validation for external scripts: 1. Missing nonce validation for external scripts with malformed attributes 2. Incorrect violation event reporting for blocked external resources This makes servo closer to passing the `nonce-enforce-blocked` wpt test. The remaining failures are blocked by required changes in the html parser. 1. Svg script support (servo/html5ever#118) ```html <svg xmlns="http://www.w3.org/2000/svg"> <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute in SVG, no execution.")(); </script> </svg> ``` 2. Duplicate attrs check the html parser needs to provide this flag, as mentioned on the original commit message (4821bc0) ```html <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute, no execution.")(); </script> <script attribute attribute=<style nonce="abc"> t.unreached_func("2# Duplicate attribute, no execution.")(); </script> [...] <script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script> ``` I've also created a PR to implement the duplicate attrs flag on html5ever servo/html5ever#695 Testing: doesn't fixes the aforementioned wpt test yet. Fixes: part of #36437 --------- Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
github-merge-queue bot
pushed a commit
to servo/servo
that referenced
this pull request
Feb 27, 2026
…#40956) This PR fixes two related issues with Content Security Policy (CSP) nonce validation for external scripts: 1. Missing nonce validation for external scripts with malformed attributes 2. Incorrect violation event reporting for blocked external resources This makes servo closer to passing the `nonce-enforce-blocked` wpt test. The remaining failures are blocked by required changes in the html parser. 1. Svg script support (servo/html5ever#118) ```html <svg xmlns="http://www.w3.org/2000/svg"> <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute in SVG, no execution.")(); </script> </svg> ``` 2. Duplicate attrs check the html parser needs to provide this flag, as mentioned on the original commit message (4821bc0) ```html <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute, no execution.")(); </script> <script attribute attribute=<style nonce="abc"> t.unreached_func("2# Duplicate attribute, no execution.")(); </script> [...] <script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script> ``` I've also created a PR to implement the duplicate attrs flag on html5ever servo/html5ever#695 Testing: doesn't fixes the aforementioned wpt test yet. Fixes: part of #36437 --------- Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
Contributor
simonwuelker
left a comment
simonwuelker
left a comment
There was a problem hiding this comment.
Thanks, this looks reasonable. Just one nit: I know the existing code likes to use abbreviations a lot, but I'd like to move away from that in the long term, especially for pub interfaces. Can you rename had_duplicate_attrs to had_duplicate_attributes everywhere?
github-merge-queue bot
pushed a commit
to servo/servo
that referenced
this pull request
Feb 27, 2026
…#40956) This PR fixes two related issues with Content Security Policy (CSP) nonce validation for external scripts: 1. Missing nonce validation for external scripts with malformed attributes 2. Incorrect violation event reporting for blocked external resources This makes servo closer to passing the `nonce-enforce-blocked` wpt test. The remaining failures are blocked by required changes in the html parser. 1. Svg script support (servo/html5ever#118) ```html <svg xmlns="http://www.w3.org/2000/svg"> <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute in SVG, no execution.")(); </script> </svg> ``` 2. Duplicate attrs check the html parser needs to provide this flag, as mentioned on the original commit message (4821bc0) ```html <script attribute attribute nonce="abc"> t.unreached_func("Duplicate attribute, no execution.")(); </script> <script attribute attribute=<style nonce="abc"> t.unreached_func("2# Duplicate attribute, no execution.")(); </script> [...] <script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script> ``` I've also created a PR to implement the duplicate attrs flag on html5ever servo/html5ever#695 Testing: doesn't fixes the aforementioned wpt test yet. Fixes: part of #36437 --------- Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
dyegoaurelio
force-pushed
the
duplicate-attr-flag
branch
2 times, most recently
from
6c8fbae to
bb5bdf7
Compare
github-actions
bot
added
V-breaking
simonwuelker
approved these changes
Mar 3, 2026
Contributor
There was a problem hiding this comment.
LGTM
If you need this change for a servo PR then you also need to prepare a new release (See RELEASING.md
that we can use for servo. It would also be nice to have the servo PR ready so we can run tests on it. html5ever itself has much less test coverage than the WPT suite from servo can provide.
dyegoaurelio
added a commit
to dyegoaurelio/servo
that referenced
this pull request
Mar 12, 2026
Point html5ever, markup5ever, xml5ever, web_atoms, and tendril to the duplicate-attr-flag branch which adds had_duplicate_attributes to ElementFlags. This will be rebased once servo/html5ever#695 lands.
dyegoaurelio
added a commit
to dyegoaurelio/servo
that referenced
this pull request
Mar 12, 2026
Point html5ever, markup5ever, xml5ever, web_atoms, and tendril to the duplicate-attr-flag branch which adds had_duplicate_attributes to ElementFlags. This will be rebased once servo/html5ever#695 lands. Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
Implements detection and propagation of duplicate attributes through the tokenizer, tree builder, and TreeSink interface to support CSP (Content Security Policy) nonce validation. This enables html5ever consumers (e.g., Servo) to properly implement step 3 of the CSP "is element nonceable" algorithm by checking the `ElementFlags.had_duplicate_attrs` field during nonce validation. Reference: - https://www.w3.org/TR/CSP/#is-element-nonceable - servo/servo@4821bc0 Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
dyegoaurelio
force-pushed
the
duplicate-attr-flag
branch
from
bb5bdf7 to
cedc11a
Compare
Contributor
Author
|
servo PR at servo/servo#43216 |
github-actions
bot
added
V-non-breaking
dyegoaurelio
added a commit
to dyegoaurelio/servo
that referenced
this pull request
Mar 12, 2026
Point html5ever, markup5ever, xml5ever, web_atoms, and tendril to the duplicate-attr-flag branch which adds had_duplicate_attributes to ElementFlags. This will be rebased once servo/html5ever#695 lands. Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
Contributor
|
@simonwuelker can you publish these crates? |
Contributor
I don't have the necessary permissions to publish to crates.io. cc @servo/cargo-publish . and why is the semver check applying the wrong labels again... |
Member
|
Published markup5ever, html5ever, and xml5ever. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements detection and propagation of duplicate attributes through the tokenizer, tree builder, and TreeSink interface to support CSP (Content Security Policy) nonce validation.
This enables html5ever consumers (e.g., Servo) to properly implement step 3 of the CSP "is element nonceable" algorithm by checking the
ElementFlags.had_duplicate_attrsfield during nonce validation.Reference: