From 59162342e64af3a8232a2a79c9938ac36430ea99 Mon Sep 17 00:00:00 2001
From: Luke Wilde <luke@ladybird.org>
Date: Tue, 5 Aug 2025 19:01:27 +0100
Subject: [PATCH] LibWeb: Set LinkProcessingOptions'
 cryptographic_nonce_metadata

Fixes external CSS being blocked on https://beatsaver.com/, where they
have a `style-src` directive set to `'self' 'nonce-[value]'`

Relates to #5643, but does not make the website load.
---
 Libraries/LibWeb/HTML/HTMLLinkElement.cpp             |  3 ++-
 .../ContentSecurityPolicy/link-element-nonce.txt      |  1 +
 .../ContentSecurityPolicy/link-element-nonce.html     | 11 +++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/ContentSecurityPolicy/link-element-nonce.txt
 create mode 100644 Tests/LibWeb/Text/input/ContentSecurityPolicy/link-element-nonce.html

diff --git a/Libraries/LibWeb/HTML/HTMLLinkElement.cpp b/Libraries/LibWeb/HTML/HTMLLinkElement.cpp
index 3930d861ed5..a7d9097e47e 100644
--- a/Libraries/LibWeb/HTML/HTMLLinkElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLLinkElement.cpp
@@ -265,6 +265,8 @@ HTMLLinkElement::LinkProcessingOptions HTMLLinkElement::create_link_options()
     // 2. Let options be a new link processing options with
     LinkProcessingOptions options {
         // FIXME: destination                      the result of translating the state of el's as attribute
+        // cryptographic nonce metadata     the current value of el's [[CryptographicNonce]] internal slot
+        .cryptographic_nonce_metadata = m_cryptographic_nonce,
         // crossorigin                      the state of el's crossorigin content attribute
         .crossorigin = cors_setting_attribute_from_keyword(get_attribute(AttributeNames::crossorigin)),
         // referrer policy                  the state of el's referrerpolicy content attribute
@@ -280,7 +282,6 @@ HTMLLinkElement::LinkProcessingOptions HTMLLinkElement::create_link_options()
         .policy_container = document.policy_container(),
         // document                         document
         .document = &document,
-        // FIXME: cryptographic nonce metadata     the current value of el's [[CryptographicNonce]] internal slot
         // fetch priority                   the state of el's fetchpriority content attribute
         .fetch_priority = Fetch::Infrastructure::request_priority_from_string(get_attribute_value(HTML::AttributeNames::fetchpriority)).value_or(Fetch::Infrastructure::Request::Priority::Auto),
     };
diff --git a/Tests/LibWeb/Text/expected/ContentSecurityPolicy/link-element-nonce.txt b/Tests/LibWeb/Text/expected/ContentSecurityPolicy/link-element-nonce.txt
new file mode 100644
index 00000000000..1e04124a3a2
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/ContentSecurityPolicy/link-element-nonce.txt
@@ -0,0 +1 @@
+rgb(255, 0, 0)
diff --git a/Tests/LibWeb/Text/input/ContentSecurityPolicy/link-element-nonce.html b/Tests/LibWeb/Text/input/ContentSecurityPolicy/link-element-nonce.html
new file mode 100644
index 00000000000..4597c0c22a1
--- /dev/null
+++ b/Tests/LibWeb/Text/input/ContentSecurityPolicy/link-element-nonce.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-value';">
+    <link rel="stylesheet" href="../body-background-color-red.css" nonce="value">
+</head>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        println(window.getComputedStyle(document.body).backgroundColor);
+    });
+</script>