Use of "Get the effective directive for inline checks" in "Should navigation request of type from source in target be blocked by Content Security Policy?" doesn't seem to make sense

[bzbarsky]

I am looking at https://w3c.github.io/webappsec-csp/#should-block-navigation-request step 3.1.1.1 and step 3.1.1.3.

The former calls into https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check and passes in either "form submission" or "other" as a type. In either case, the returned value will be null.

The latter calls into https://w3c.github.io/webappsec-csp/#create-violation-for-global which expects to be passed a string for directive. null is not a string.

What's actually supposed to happen here?

[TimvdLippe]

I am implementing this in Servo atm and ran into the exact same issue. Based on the WPT tests, it seems that instead of type it should run on InlineCheckType::Navigation: https://github.com/web-platform-tests/wpt/blob/5726251d00e45c1ef06b0894dd843a93359c8f13/content-security-policy/navigation/to-javascript-url-script-src.html#L14

[antosart]

This seems a bug introduced by #365. Fixing in #722.