LibWeb: Track if element was created from token with dupe attributes

This is required for CSP to ignore the nonce attribute to prevent duplicate attributes hijacking the attribute. See https://w3c.github.io/webappsec-csp/#security-nonce-hijacking
Author: https://github.com/Lubrsi Commit: 2368641de5 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5328 Reviewed-by: https://github.com/ADKaster ✅
2025-07-23 09:22:30 +00:00 · 2024-12-02 12:33:52 +00:00 · 2024-12-02 12:33:52 +00:00 · 2368641de5 · 2025-07-09 21:54:13 +00:00
commit 2368641de5
parent b6b030aa43
5 changed files with 27 additions and 0 deletions
--- a/Libraries/LibWeb/HTML/Parser/HTMLToken.h
+++ b/Libraries/LibWeb/HTML/Parser/HTMLToken.h
@ -328,6 +328,7 @@ public:
    void set_end_position(Badge<HTMLTokenizer>, Position end_position) { m_end_position = end_position; }

    void normalize_attributes();
+    bool had_duplicate_attribute() const { return m_had_duplicate_attribute; }

 private:
    Vector<Attribute> const* tag_attributes() const
@ -355,6 +356,11 @@ private:
    bool m_tag_self_closing { false };
    bool m_tag_self_closing_acknowledged { false };

+    // AD-HOC: We need to know if the token had duplicate attributes, as Content Security Policy disables the nonce
+    //         attribute on the element that will be created from such a token.
+    //         https://w3c.github.io/webappsec-csp/#is-element-nonceable
+    bool m_had_duplicate_attribute { false };
+
    // Type::StartTag and Type::EndTag (tag name)
    FlyString m_string_data;