LibWeb: Support the X-Frame-Options header

Navigation responses are now checked for adherence to the `X-Frame-Options` header and an error is shown accordingly.
Author: https://github.com/skyz1 Commit: 156f9fff32 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2763 Reviewed-by: https://github.com/ADKaster Reviewed-by: https://github.com/tcl3 ✅
2025-06-20 09:11:53 +00:00 · 2024-12-05 00:33:35 +01:00 · 2024-12-05 00:33:35 +01:00 · 156f9fff32 · 2024-12-07 08:38:54 +00:00
commit 156f9fff32
parent 88884c370c
5 changed files with 88 additions and 3 deletions
--- a/Libraries/LibWeb/HTML/Navigable.cpp
+++ b/Libraries/LibWeb/HTML/Navigable.cpp
@ -1165,10 +1165,16 @@ WebIDL::ExceptionOr<void> Navigable::populate_session_history_entry_document(
        //  - navigationParams is null;
        //  - FIXME: the result of should navigation response to navigation request of type in target be blocked by Content Security Policy? given navigationParams's request, navigationParams's response, navigationParams's policy container's CSP list, cspNavigationType, and navigable is "Blocked";
        //  - FIXME: navigationParams's reserved environment is non-null and the result of checking a navigation response's adherence to its embedder policy given navigationParams's response, navigable, and navigationParams's policy container's embedder policy is false; or
-        //  - FIXME: the result of checking a navigation response's adherence to `X-Frame-Options` given navigationParams's response, navigable, navigationParams's policy container's CSP list, and navigationParams's origin is false,
-        if (navigation_params.has<NullOrError>()) {
+        //  - the result of checking a navigation response's adherence to `X-Frame-Options` given navigationParams's response, navigable, navigationParams's policy container's CSP list, and navigationParams's origin is false,
+        if (navigation_params.visit(
+                [](NullOrError) { return true; },
+                [this](GC::Ref<NavigationParams> navigation_params) {
+                    // FIXME: Pass in navigationParams's policy container's CSP list
+                    return !check_a_navigation_responses_adherence_to_x_frame_options(navigation_params->response, this, navigation_params->origin);
+                },
+                [](GC::Ref<NonFetchSchemeNavigationParams>) { return false; })) {
            // 1. Set entry's document state's document to the result of creating a document for inline content that doesn't have a DOM, given navigable, null, and navTimingType. The inline content should indicate to the user the sort of error that occurred.
-            auto error_message = navigation_params.get<NullOrError>().value_or("Unknown error"sv);
+            auto error_message = navigation_params.has<NullOrError>() ? navigation_params.get<NullOrError>().value_or("Unknown error"sv) : "The request was denied."sv;

            auto error_html = load_error_page(entry->url(), error_message).release_value_but_fixme_should_propagate_errors();
            entry->document_state()->set_document(create_document_for_inline_content(this, navigation_id, [this, error_html](auto& document) {