From 89532082ea308a7a68fdf6e20c64f12ea3d4e703 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Mon, 27 Jan 2025 13:24:06 +0900
Subject: [PATCH 1/2] Fix CSP navigation request blocking

Closes #10796, by passing along the intended snapshotted source CSP instead of attempting to look up the policy container from the request (which will not work when it's left as "client").
---
 source | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/source b/source
index d0d75d360ce..41148c55b1e 100644
--- a/source
+++ b/source
@@ -100144,8 +100144,8 @@ location.href = '#foo';</code></pre>
    <dd><var>sourceDocument</var>'s <span>relevant settings object</span></dd>
 
    <dt><span data-x="source-snapshot-params-policy-container">source policy container</span></dt>
-   <dd><var>sourceDocument</var>'s <span data-x="concept-document-policy-container">policy
-   container</span></dd>
+   <dd>a <span data-x="clone a policy container">clone</span> of <var>sourceDocument</var>'s <span
+   data-x="concept-document-policy-container">policy container</span></dd>
   </dl>
 
   <hr>
@@ -102782,9 +102782,10 @@ location.href = '#foo';</code></pre>
      </li>
 
      <li><p>If the result of <span>should navigation request of type be blocked by Content Security
-     Policy?</span> given <var>request</var> and <var>cspNavigationType</var> is "<code
-     data-x="">Blocked</code>", then set <var>response</var> to a <span>network error</span> and
-     <span>break</span>. <ref>CSP</ref></p></li>
+     Policy?</span> given <var>request</var>, <var>sourceSnapshotParams</var>'s <span
+     data-x="source-snapshot-params-policy-container">source policy container</span>, and
+     <var>cspNavigationType</var> is "<code data-x="">Blocked</code>", then set <var>response</var>
+     to a <span>network error</span> and <span>break</span>. <ref>CSP</ref></p></li>
 
      <li><p>Set <var>response</var> to null.</p></li>
 

From e88eb0a620b830baa6dc74ad87226514a69a2cb5 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Tue, 28 Jan 2025 15:40:36 +0900
Subject: [PATCH 2/2] Pass CSP list instead, and fix another call site.

---
 source | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/source b/source
index 41148c55b1e..b511c33d593 100644
--- a/source
+++ b/source
@@ -100541,8 +100541,9 @@ location.href = '#foo';</code></pre>
      <li><p><span>Queue a global task</span> on the <span>navigation and traversal task
      source</span> given <var>navigable</var>'s <span data-x="nav-window">active window</span> to
      <span>navigate to a <code>javascript:</code> URL</span> given <var>navigable</var>,
-     <var>url</var>, <var>historyHandling</var>, <var>initiatorOriginSnapshot</var>,
-     <var>userInvolvement</var>, and <var>cspNavigationType</var>.</p></li>
+     <var>url</var>, <var>historyHandling</var>, <var>sourceSnapshotParams</var>,
+     <var>initiatorOriginSnapshot</var>, <var>userInvolvement</var>, and
+     <var>cspNavigationType</var>.</p></li>
 
      <li><p>Return.</p></li>
     </ol>
@@ -100915,8 +100916,9 @@ location.href = '#foo';</code></pre>
 
   <p>To <dfn>navigate to a <code>javascript:</code> URL</dfn>, given a <span>navigable</span>
   <var>targetNavigable</var>, a <span>URL</span> <var>url</var>, a <span>history handling
-  behavior</span> <var>historyHandling</var>, an <span>origin</span> <var>initiatorOrigin</var>, a
-  <span>user navigation involvement</span> <var>userInvolvement</var>, and a string
+  behavior</span> <var>historyHandling</var>, a <span>source snapshot params</span>
+  <var>sourceSnapshotParams</var>, an <span>origin</span> <var>initiatorOrigin</var>, a <span>user
+  navigation involvement</span> <var>userInvolvement</var>, and a string
   <var>cspNavigationType</var>:</p>
 
   <ol>
@@ -100938,7 +100940,9 @@ location.href = '#foo';</code></pre>
    </li>
 
    <li><p>If the result of <span>should navigation request of type be blocked by Content Security
-   Policy?</span> given <var>request</var> and <var>cspNavigationType</var> is "<code
+   Policy?</span> given <var>request</var>, <var>cspNavigationType</var>, and
+   <var>sourceSnapshotParams</var>'s <span data-x="source-snapshot-params-policy-container">source
+   policy container</span>'s <span data-x="policy-container-csp-list">CSP list</span> is "<code
    data-x="">Blocked</code>", then return. <ref>CSP</ref></p></li>
 
    <li><p>Let <var>newDocument</var> be the result of <span data-x="evaluate a javascript:
@@ -102782,10 +102786,11 @@ location.href = '#foo';</code></pre>
      </li>
 
      <li><p>If the result of <span>should navigation request of type be blocked by Content Security
-     Policy?</span> given <var>request</var>, <var>sourceSnapshotParams</var>'s <span
-     data-x="source-snapshot-params-policy-container">source policy container</span>, and
-     <var>cspNavigationType</var> is "<code data-x="">Blocked</code>", then set <var>response</var>
-     to a <span>network error</span> and <span>break</span>. <ref>CSP</ref></p></li>
+     Policy?</span> given <var>request</var>, <var>cspNavigationType</var>, and
+     <var>sourceSnapshotParams</var>'s <span data-x="source-snapshot-params-policy-container">source
+     policy container</span>'s <span data-x="policy-container-csp-list">CSP list</span> is "<code
+     data-x="">Blocked</code>", then set <var>response</var> to a <span>network error</span> and
+     <span>break</span>. <ref>CSP</ref></p></li>
 
      <li><p>Set <var>response</var> to null.</p></li>