LibWeb/Fetch: Implement the "set the Sec-Fetch-Site header" AO

This commit is contained in:
Jamie Mansfield 2024-04-29 20:56:30 +01:00 committed by Andreas Kling
parent 5eb46a5f01
commit 1ff90aa3e0
Notes: sideshowbarker 2024-07-16 18:03:21 +09:00
2 changed files with 40 additions and 0 deletions

View file

@ -2039,4 +2039,43 @@ void set_sec_fetch_mode_header(Infrastructure::Request& request)
request.header_list()->append(move(header));
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-set-site
void set_sec_fetch_site_header(Infrastructure::Request& request)
{
// 1. Assert: rs url is a potentially trustworthy URL.
VERIFY(SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy);
// 2. Let header be a Structured Header whose value is a token.
// FIXME: This is handled below, as Serenity doesn't have APIs for RFC 8941.
// 3. Set headers value to same-origin.
auto header_value = "same-origin"sv;
// FIXME: 4. If r is a navigation request that was explicitly caused by a users interaction with the user agent (by typing an address
// into the user agent directly, for example, or by clicking a bookmark, etc.), then set headers value to none.
// 5. If headers value is not none, then for each url in rs url list:
if (!header_value.equals_ignoring_ascii_case("none"sv)) {
for (auto& url : request.url_list()) {
// 1. If url is same origin with rs origin, continue.
if (DOMURL::url_origin(url).is_same_origin(DOMURL::url_origin(request.current_url())))
continue;
// 2. Set headers value to cross-site.
header_value = "cross-site"sv;
// FIXME: 3. If rs origin is not same site with urls origin, then break.
// FIXME: 4. Set headers value to same-site.
}
}
// 6. Set a structured field value `Sec-Fetch-Site`/header in rs header list.
auto header = Infrastructure::Header {
.name = MUST(ByteBuffer::copy("Sec-Fetch-Site"sv.bytes())),
.value = MUST(ByteBuffer::copy(header_value.bytes())),
};
request.header_list()->append(move(header));
}
}