[Backport] Security bug 1292905

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3551609:
Disallow CSS-wide keywords for StylePropertyMap.set

We don't support this properly, and the spec does not handle CSS-keywords
either. Disallow it until we can add proper support for this.

Fixed: 1292905
Bug: 1310761
Change-Id: Ieb3d20edfea72c2ccb0928536fdfd86d10aad1a9
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
Cr-Commit-Position: refs/heads/main@{#986411}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/build/scripts/core/css/templates/cssom_keywords.cc.tmpl b/chromium/third_party/blink/renderer/build/scripts/core/css/templates/cssom_keywords.cc.tmpl
index 87caef2cf5c..59c50570721 100644
--- a/chromium/third_party/blink/renderer/build/scripts/core/css/templates/cssom_keywords.cc.tmpl
+++ b/chromium/third_party/blink/renderer/build/scripts/core/css/templates/cssom_keywords.cc.tmpl
@@ -21,8 +21,10 @@ bool CSSOMKeywords::ValidKeywordForProperty(CSSPropertyID id,
     return false;
   }
 
-  if (css_parsing_utils::IsCSSWideKeyword(valueID))
-    return true;
+  if (css_parsing_utils::IsCSSWideKeyword(valueID)) {
+    // TODO(crbug.com/1310761): Support CSS-wide keywords in custom props.
+    return id != CSSPropertyID::kVariable;
+  }
 
   switch (id) {
   {% for property in properties if property.keywordIDs and 'Keyword' in property.typedom_types %}