Changeset 286136 in webkit

Timestamp:

Nov 23, 2021 8:24:27 AM (8 months ago)

Author:

Carlos Garcia Campos

Message:

CSP: security policy violation event is always using document as target
​https://bugs.webkit.org/show_bug.cgi?id=233182

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update test expectations.

• web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt:
• web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt:

Source/WebCore:

We should use the violation element instead if not null.

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent): Pass element to allowInlineEventHandlers().

• bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const): Ditto.

• dom/Element.cpp:

(WebCore::Element::enqueueSecurityPolicyViolationEvent): Helper to queue securitypolicyviolationEvent for element.

• dom/Element.h:
• dom/InlineStyleSheetOwner.cpp:

(WebCore::InlineStyleSheetOwner::createSheet): Pass element to allowInlineStyle().

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestModuleScript): Pass element to allowInlineScript().
(WebCore::ScriptElement::executeClassicScript): Ditto.

• dom/StyledElement.cpp:

(WebCore::StyledElement::styleAttributeChanged): Pass element to allowInlineStyle().

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowInlineEventHandlers const): Pass given element to reportViolation().
(WebCore::ContentSecurityPolicy::allowInlineScript const): Ditto.
(WebCore::ContentSecurityPolicy::allowInlineStyle const): Ditto.
(WebCore::ContentSecurityPolicy::reportViolation const): Call Element::enqueueSecurityPolicyViolationEvent() if
element is not nullptr.

• page/csp/ContentSecurityPolicy.h:

LayoutTests:

Unskip tests that no longer time out.

• TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (3 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSEventListener.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSLazyEventListener.cpp (modified) (1 diff)
• Source/WebCore/dom/Element.cpp (modified) (3 diffs)
• Source/WebCore/dom/Element.h (modified) (2 diffs)
• Source/WebCore/dom/InlineStyleSheetOwner.cpp (modified) (1 diff)
• Source/WebCore/dom/ScriptElement.cpp (modified) (2 diffs)
• Source/WebCore/dom/StyledElement.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (8 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-11-23  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        CSP: security policy violation event is always using document as target
+        https://bugs.webkit.org/show_bug.cgi?id=233182
+
+        Reviewed by Kate Cheney.
+
+        Unskip tests that no longer time out.
+
+        * TestExpectations:
+
 2021-11-23  Alan Bujtas  <zalan@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -526 +526 @@
 imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme.html [ Skip ]
 imported/w3c/web-platform-tests/cookies/domain/domain-attribute-host-with-and-without-leading-period.sub.https.html [ Skip ]
 imported/w3c/web-platform-tests/cookies/domain/domain-attribute-host-with-leading-period.sub.https.html [ Skip ]
@@ -951 +949 @@
 imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/inside-dedicated-worker.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect-upgrade-reporting.https.html [ Skip ]
@@ -981 +977 @@
 imported/w3c/web-platform-tests/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/reporting-api/reporting-api-works-on-frame-src.https.sub.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html [ Skip ]

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-11-23  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        CSP: security policy violation event is always using document as target
+        https://bugs.webkit.org/show_bug.cgi?id=233182
+
+        Reviewed by Kate Cheney.
+
+        Update test expectations.
+
+        * web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt:
+        * web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt:
+
 2021-11-23  Antti Koivisto  <antti@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/javascript-window-open-blocked-expected.txt

@@ -1 @@
- 
-FAIL Check that a securitypolicyviolation event is fired assert_equals: expected "inline" but got ""
 
+PASS Check that a securitypolicyviolation event is fired
+

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme-expected.txt

@@ -1 +1 @@
 
-Harness Error (TIMEOUT), message = null
+FAIL Violations from data:-URL scripts have a sourceFile of 'blob' assert_equals: expected 16 but got 21
 
-TIMEOUT Violations from data:-URL scripts have a sourceFile of 'blob' Test timed out
-

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme-expected.txt

@@ -1 +1 @@
 
-Harness Error (TIMEOUT), message = null
+FAIL Violations from data:-URL scripts have a sourceFile of 'data' assert_equals: expected 16 but got 21
 
-TIMEOUT Violations from data:-URL scripts have a sourceFile of 'data' Test timed out
-

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'style-src' contains an invalid source: ''report-sample''. It will be ignored.
-CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
 
-Harness Error (TIMEOUT), message = null
+FAIL Inline style blocks should have a sample. assert_equals: expected "p { omg: yay !important; }" but got ""
+FAIL Inline style attributes should have a sample. assert_equals: expected "omg: yay !important;" but got ""
 
-TIMEOUT Inline style blocks should have a sample. Test timed out
-TIMEOUT Inline style attributes should have a sample. Test timed out
-

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/style-sample-no-opt-in-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
 
-Harness Error (TIMEOUT), message = null
+PASS Inline style blocks should not have a sample.
+PASS Inline style attributes should not have a sample.
 
-TIMEOUT Inline style blocks should not have a sample. Test timed out
-TIMEOUT Inline style attributes should not have a sample. Test timed out
-

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-11-23  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        CSP: security policy violation event is always using document as target
+        https://bugs.webkit.org/show_bug.cgi?id=233182
+
+        Reviewed by Kate Cheney.
+
+        We should use the violation element instead if not null.
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::handleEvent): Pass element to allowInlineEventHandlers().
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction const): Ditto.
+        * dom/Element.cpp:
+        (WebCore::Element::enqueueSecurityPolicyViolationEvent): Helper to queue securitypolicyviolationEvent for element.
+        * dom/Element.h:
+        * dom/InlineStyleSheetOwner.cpp:
+        (WebCore::InlineStyleSheetOwner::createSheet): Pass element to allowInlineStyle().
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::requestModuleScript): Pass element to allowInlineScript().
+        (WebCore::ScriptElement::executeClassicScript): Ditto.
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::styleAttributeChanged): Pass element to allowInlineStyle().
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const): Pass given element to reportViolation().
+        (WebCore::ContentSecurityPolicy::allowInlineScript const): Ditto.
+        (WebCore::ContentSecurityPolicy::allowInlineStyle const): Ditto.
+        (WebCore::ContentSecurityPolicy::reportViolation const): Call Element::enqueueSecurityPolicyViolationEvent() if
+        element is not nullptr.
+        * page/csp/ContentSecurityPolicy.h:
+
 2021-11-23  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -127 +127 @@
         if (!window->wrapped().isCurrentlyDisplayedInFrame())
             return;
-        if (wasCreatedFromMarkup() && !scriptExecutionContext.contentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line, code()))
-            return;
+        if (wasCreatedFromMarkup()) {
+            Element* element = event.target()->isNode() && !downcast<Node>(*event.target()).isDocumentNode() && is<Element>(*event.target()) ? downcast<Element>(event.target()) : nullptr;
+            if (!scriptExecutionContext.contentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line, code(), element))
+                return;
+        }
         // FIXME: Is this check needed for other contexts?
         ScriptController& script = window->wrapped().frame()->script();

trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -132 +132 @@
         return nullptr;
 
-    if (!document.contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line, m_code))
+    Element* element = m_originalNode && !m_originalNode->isDocumentNode() && is<Element>(*m_originalNode) ? downcast<Element>(m_originalNode.get()) : nullptr;
+    if (!document.contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line, m_code, element))
         return nullptr;
 

trunk/Source/WebCore/dom/Element.cpp

@@ -54 +54 @@
 #include "EventDispatcher.h"
 #include "EventHandler.h"
+#include "EventLoop.h"
 #include "EventNames.h"
 #include "FocusController.h"
@@ -111 +112 @@
 #include "ScrollIntoViewOptions.h"
 #include "ScrollLatchingController.h"
+#include "SecurityPolicyViolationEvent.h"
 #include "SelectorQuery.h"
 #include "Settings.h"
@@ -3199 +3201 @@
 }
 
+void Element::enqueueSecurityPolicyViolationEvent(SecurityPolicyViolationEventInit&& eventInit)
+{
+    document().eventLoop().queueTask(TaskSource::DOMManipulation, [this, protectedThis = Ref { *this }, event = SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, WTFMove(eventInit), Event::IsTrusted::Yes)] {
+        dispatchEvent(event);
+    });
+}
+
 ExceptionOr<void> Element::mergeWithNextTextNode(Text& node)
 {

trunk/Source/WebCore/dom/Element.h

@@ -89 +89 @@
 struct ScrollIntoViewOptions;
 struct ScrollToOptions;
+struct SecurityPolicyViolationEventInit;
 struct ShadowRootInit;
 
@@ -572 +573 @@
     WEBCORE_EXPORT bool dispatchMouseForceWillBegin();
 
+    void enqueueSecurityPolicyViolationEvent(SecurityPolicyViolationEventInit&&);
+
     virtual void willRecalcStyle(Style::Change);
     virtual void didRecalcStyle(Style::Change);

trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp

@@ -170 +170 @@
     const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy();
     bool hasKnownNonce = contentSecurityPolicy.allowStyleWithNonce(element.nonce(), element.isInUserAgentShadowTree());
-    if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, hasKnownNonce))
+    if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, element, hasKnownNonce))
         return;
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -378 +378 @@
     const auto& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
     bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(nonce, m_element.isInUserAgentShadowTree());
-    if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), hasKnownNonce))
+    if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce))
         return false;
 
@@ -402 +402 @@
 
         bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.nonce(), m_element.isInUserAgentShadowTree());
-        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), hasKnownNonce))
+        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce))
             return;
     }

trunk/Source/WebCore/dom/StyledElement.cpp

@@ -207 +207 @@
         startLineNumber = document().scriptableDocumentParser()->textPosition().m_line;
 
-    if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, isInUserAgentShadowTree()))
+    if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, *this, isInUserAgentShadowTree()))
         setInlineStyleFromString(newStyleString);
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -417 +417 @@
 }
 
-bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& source, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& source, Element* element, bool overrideContentSecurityPolicy) const
 {
     if (overrideContentSecurityPolicy)
@@ -424 +424 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()));
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -481 +481 @@
 }
 
-bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element& element, bool overrideContentSecurityPolicy) const
 {
     if (overrideContentSecurityPolicy || shouldPerformEarlyCSPCheck())
@@ -488 +488 @@
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()));
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
         if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
             reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -499 +499 @@
 }
 
-bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes shouldCheckUnsafeHashes, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes shouldCheckUnsafeHashes, Element& element, bool overrideContentSecurityPolicy) const
 {
     if (overrideContentSecurityPolicy)
@@ -508 +508 @@
         auto name = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? ContentSecurityPolicyDirectiveNames::styleSrcAttr : ContentSecurityPolicyDirectiveNames::styleSrcElem;
         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
-        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()));
+        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, &element);
     };
 
@@ -735 +735 @@
 }
 
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
-{
-    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
-}
-
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state, Element* element) const
+{
+    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL, element);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL, Element* element) const
 {
     logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -805 +805 @@
     if (m_client)
         m_client->enqueueSecurityPolicyViolationEvent(WTFMove(violationEventInit));
-    else
-        downcast<Document>(*m_scriptExecutionContext).enqueueSecurityPolicyViolationEvent(WTFMove(violationEventInit));
+    else {
+        auto& document = downcast<Document>(*m_scriptExecutionContext);
+        if (element && element->document() == document)
+            element->enqueueSecurityPolicyViolationEvent(WTFMove(violationEventInit));
+        else
+            document.enqueueSecurityPolicyViolationEvent(WTFMove(violationEventInit));
+    }
 
     // 2. Send violation report (if applicable).

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -52 +52 @@
 class ContentSecurityPolicySource;
 class DOMStringList;
+class Element;
 class Frame;
 class JSWindowProxy;
@@ -96 +97 @@
 
     bool allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
-    bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
-    bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, bool overrideContentSecurityPolicy = false) const;
+    bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*, bool overrideContentSecurityPolicy = false) const;
+    bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, bool overrideContentSecurityPolicy = false) const;
     bool allowNonParserInsertedScripts(const URL&, const String&, const StringView&, ParserInserted) const;
-    bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, bool overrideContentSecurityPolicy = false) const;
+    bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, Element&, bool overrideContentSecurityPolicy = false) const;
 
     bool allowEval(JSC::JSGlobalObject*, LogToConsole, bool overrideContentSecurityPolicy = false) const;
@@ -223 +224 @@
     void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
     void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
-    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
+    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr, Element* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;