LibWeb: Only stash Element's CryptographicNonce if there's a CSP header

Author: https://github.com/Lubrsi
Commit: https://github.com/LadybirdBrowser/ladybird/commit/435f839ced0
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3805

Libraries/LibWeb/HTML/HTMLOrSVGElement.cpp

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <LibWeb/ContentSecurityPolicy/PolicyList.h>
 #include <LibWeb/HTML/Focus.h>
 #include <LibWeb/HTML/HTMLElement.h>
 #include <LibWeb/HTML/HTMLOrSVGElement.h>
@@ -100,12 +101,12 @@ void HTMLOrSVGElement<ElementBase>::inserted()
     if (!element.shadow_including_root().is_browsing_context_connected())
         return;
 
-    // FIXME: 1. Let CSP list be element's shadow-including root's policy container's CSP list.
-    [[maybe_unused]] auto policy_container = element.shadow_including_root().document().policy_container();
+    // 1. Let CSP list be element's shadow-including root's policy container's CSP list.
+    auto csp_list = element.shadow_including_root().document().policy_container()->csp_list;
 
-    // FIXME: 2. If CSP list contains a header-delivered Content Security Policy, and element has a
-    //           nonce content attribute whose value is not the empty string, then:
-    if (true && element.has_attribute(HTML::AttributeNames::nonce)) {
+    // 2. If CSP list contains a header-delivered Content Security Policy, and element has a
+    //    nonce content attribute whose value is not the empty string, then:
+    if (csp_list->contains_header_delivered_policy() && element.has_attribute(HTML::AttributeNames::nonce)) {
         // 2.1. Let nonce be element's [[CryptographicNonce]].
         auto nonce = m_cryptographic_nonce;
 

Tests/LibWeb/Text/expected/HTML/HTMLOrSVGElement-nonce.txt

@@ -5,7 +5,7 @@ nonce: "456" attribute: 456;
 nonce: "null" attribute: 456;
 insertion
 nonce: "foo" attribute: foo;
-nonce: "foo" attribute: ;
+nonce: "foo" attribute: foo;
 cloning
 nonce: "bar" attribute: bar;
 nonce: "bar" attribute: bar;