LibWeb: Track if element was created from token with dupe attributes

This is required for CSP to ignore the nonce attribute to prevent duplicate attributes hijacking the attribute. See https://w3c.github.io/webappsec-csp/#security-nonce-hijacking
Author: https://github.com/Lubrsi Commit: 2368641de5 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5328 Reviewed-by: https://github.com/ADKaster ✅
2025-08-26 04:07:51 +00:00 · 2024-12-02 12:33:52 +00:00 · 2024-12-02 12:33:52 +00:00 · 2368641de5 · 2025-07-09 21:54:13 +00:00
commit 2368641de5
parent b6b030aa43
5 changed files with 27 additions and 0 deletions
--- a/Libraries/LibWeb/DOM/Element.h
+++ b/Libraries/LibWeb/DOM/Element.h
@ -516,6 +516,9 @@ public:

    virtual bool contributes_a_script_blocking_style_sheet() const { return false; }

+    void set_had_duplicate_attribute_during_tokenization(Badge<HTML::HTMLParser>);
+    bool had_duplicate_attribute_during_tokenization() const { return m_had_duplicate_attribute_during_tokenization; }
+
 protected:
    Element(Document&, DOM::QualifiedName);
    virtual void initialize(JS::Realm&) override;
@ -614,6 +617,13 @@ private:

    size_t m_sibling_invalidation_distance { 0 };

+    // https://w3c.github.io/webappsec-csp/#is-element-nonceable
+    // AD-HOC: We need to know the element had a duplicate attribute when it was created from the HTML parser.
+    //         However, there currently isn't any specified way to do this, so we store a flag on the token, which is
+    //         then passed down to here. This is used by Content Security Policy to disable the nonce attribute if this
+    //         flag is set.
+    bool m_had_duplicate_attribute_during_tokenization { false };
+
    OwnPtr<CSS::CountersSet> m_counters_set;

    // https://drafts.csswg.org/css-contain/#proximity-to-the-viewport