Crash with "content-security-policy: require-trusted-types-for 'script'" and a `<select>` element

[JeremiasRy]

Summary

Ladybird crashes when trying to render <select> tag with response header containing content-security-policy: require-trusted-types-for 'script'.

Operating system

Linux

Steps to reproduce

1. Visit consent.google
2. Ladybird flew off-course!

Expected behavior

Successfully load the web page.

Actual behavior

Ladybird crashes.

URL for a reduced test case

N/A

HTML/SVG/etc. source for a reduced test case

// HTML itself doesn't produce the error, we need a response header in conjunction with the content to produce the crash

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		html, _ := os.ReadFile("index.html")
		w.Header().Set("content-security-policy", "require-trusted-types-for 'script'")
		fmt.Fprint(w, string(html))
	})

	log.Println("Listening...")
	log.Fatal(http.ListenAndServe(":8080", nil))
}

// response HTML
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>

<body>
    <select>
        <option>1</option>
        <option>2</option>
        <option>3</option>
    </select>
</body>

</html>

Log output and (if possible) backtrace

se it does not appear in the 'require-trusted-types-for' directive.
UNEXPECTED ERROR: Sink Element innerHTML of type 'script' requires a TrustedType to be used at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/HTMLSelectElement.cpp:628
Stack trace (most recent call first):
#0  (inlined)          in Web::DOM::Node::insert_before(GC::Ref<Web::DOM::Node>, GC::Ptr<Web::DOM::Node>, bool)::$_0::operator()(Web::DOM::Node&) const at /home/rytta/repos/ladybird/Libraries/LibWeb/DOM/Node.cpp:734:34
#1  0x00007a2afb0c677f in Web::TraversalDecision Web::DOM::Node::for_each_shadow_including_inclusive_descendant<Web::DOM::Node::insert_before(GC::Ref<Web::DOM::Node>, GC::Ptr<Web::DOM::Node>, bool)::$_0>(Web::DOM::Node::insert_before(GC::Ref<Web::DOM::Node>, GC::Ptr<Web::DOM::Node>, bool)::$_0) at /home/rytta/repos/ladybird/Libraries/LibWeb/DOM/ShadowRoot.h:129:9
#2  0x00007a2afb0c5a62 in Web::DOM::Node::insert_before(GC::Ref<Web::DOM::Node>, GC::Ptr<Web::DOM::Node>, bool) at /home/rytta/repos/ladybird/Libraries/LibWeb/DOM/Node.cpp:732:25
#3  0x00007a2afb320b1d in Web::HTML::HTMLParser::insert_an_element_at_the_adjusted_insertion_location(GC::Ref<Web::DOM::Element>) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:5717:41
#4  (inlined)          in Web::HTML::HTMLParser::insert_foreign_element(Web::HTML::HTMLToken const&, AK::Optional<AK::FlyString> const&, Web::HTML::HTMLParser::OnlyAddToElementStack) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:908:9
#5  0x00007a2afb320ded in Web::HTML::HTMLParser::insert_html_element(Web::HTML::HTMLToken const&) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:923:12
#6  0x00007a2afb31c0b6 in Web::HTML::HTMLParser::handle_in_body(Web::HTML::HTMLToken&) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:2882:15
#7  0x00007a2afb31604e in Web::HTML::HTMLParser::run(Web::HTML::HTMLTokenizer::StopAtInsertionPoint) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:244:13
#8  0x00007a2afb3172d7 in Web::HTML::HTMLParser::run(URL::URL const&, Web::HTML::HTMLTokenizer::StopAtInsertionPoint) at /home/rytta/repos/ladybird/Libraries/LibWeb/HTML/Parser/HTMLParser.cpp:270:5
#9  (inlined)          in Web::load_html_document(Web::HTML::NavigationParams const&)::$_0::operator()(AK::Detail::ByteBuffer<32ul>) const::{lambda()#1}::operator()() const at /home/rytta/repos/ladybird/Libraries/LibWeb/DOM/DocumentLoading.cpp:98:25
#10 0x00007a2afb070572 in AK::Function<void ()>::CallableWrapper<Web::load_html_document(Web::HTML::NavigationParams const&)::$_0::operator()(AK::Detail::ByteBuffer<32ul>) const::{lambda()#1}>::call() at /home/rytta/repos/ladybird/AK/Function.h:225:20
#11 (inlined)          in AK::Function<void ()>::operator()() const at /home/rytta/repos/ladybird/AK/Function.h:148:25
#12 (inlined)          in Web::Platform::EventLoopPluginSerenity::deferred_invoke(GC::Root<GC::Function<void ()> >)::$_0::operator()() const at /home/rytta/repos/ladybird/Libraries/LibWeb/Platform/EventLoopPluginSerenity.cpp:29:9
#13 0x00007a2afb519a38 in AK::Function<void ()>::CallableWrapper<Web::Platform::EventLoopPluginSerenity::deferred_invoke(GC::Root<GC::Function<void ()> >)::$_0>::call() at /home/rytta/repos/ladybird/AK/Function.h:225:20
#14 (inlined)          in AK::Function<void ()>::operator()() const at /home/rytta/repos/ladybird/AK/Function.h:148:25
#15 0x00007a2afa083967 in Core::ThreadEventQueue::process() at /home/rytta/repos/ladybird/Libraries/LibCore/ThreadEventQueue.cpp:118:13
#16 (inlined)          in Core::EventLoopImplementationUnix::pump(Core::EventLoopImplementation::PumpMode) at /home/rytta/repos/ladybird/Libraries/LibCore/EventLoopImplementationUnix.cpp:318:40
#17 0x00007a2afa08934b in Core::EventLoopImplementationUnix::exec() at /home/rytta/repos/ladybird/Libraries/LibCore/EventLoopImplementationUnix.cpp:310:9
#18 0x00007a2afa07acc6 in Core::EventLoop::exec() at /home/rytta/repos/ladybird/Libraries/LibCore/EventLoop.cpp:90:20
#19 0x000059a970624036 in ladybird_main(Main::Arguments) at /home/rytta/repos/ladybird/Services/WebContent/main.cpp:214:23
#20 0x000059a97072dc5d in main at /home/rytta/repos/ladybird/Libraries/LibMain/Main.cpp:46:19
#21 0x00007a2af8a2a1c9 in __libc_start_call_main at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x00007a2af8a2a28a in __libc_start_main_impl at ./csu/../csu/libc-start.c:360:3
#23 0x000059a970622af4 in _start at /home/rytta/repos/ladybird/Build/debug/libexec/WebContent
117539.061 Ladybird(831885): WebContent process crashed! Last page loaded: http://localhost:8080/

Screenshots or screen recordings

No response

Build flags or config settings

No response

Contribute a patch?

I've located the erroneous code and would like to provide the patch myself.

• [x] I’ll contribute a patch for this myself.

[JeremiasRy]

Should be fixed in 6632