diff --git a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp index c9e05ab1d7d..7cfdda7137f 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp +++ b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp @@ -15,7 +15,7 @@ namespace Web::ContentSecurityPolicy { // https://w3c.github.io/webappsec-csp/#does-resource-hint-violate-policy -[[nodiscard]] static GC::Ptr does_resource_hint_request_violate_policy(JS::Realm& realm, GC::Ref request, GC::Ref policy) +[[nodiscard]] static GC::Ptr does_resource_hint_request_violate_policy(GC::Heap& heap, GC::Ref request, GC::Ref policy) { // 1. Let defaultDirective be policy’s first directive whose name is "default-src". auto default_directive_iterator = policy->directives().find_if([](auto const& directive) { @@ -29,7 +29,7 @@ namespace Web::ContentSecurityPolicy { // 3. For each directive of policy: for (auto directive : policy->directives()) { // 1. Let result be the result of executing directive’s pre-request check on request and policy. - auto result = directive->pre_request_check(realm, request, policy); + auto result = directive->pre_request_check(heap, request, policy); // 2. If result is "Allowed", then return "Does Not Violate". if (result == Directives::Directive::Result::Allowed) { @@ -42,12 +42,12 @@ namespace Web::ContentSecurityPolicy { } // https://w3c.github.io/webappsec-csp/#does-request-violate-policy -[[nodiscard]] static GC::Ptr does_request_violate_policy(JS::Realm& realm, GC::Ref request, GC::Ref policy) +[[nodiscard]] static GC::Ptr does_request_violate_policy(GC::Heap& heap, GC::Ref request, GC::Ref policy) { // 1. If request’s initiator is "prefetch", then return the result of executing § 6.7.2.2 Does resource hint // request violate policy? on request and policy. if (request->initiator() == Fetch::Infrastructure::Request::Initiator::Prefetch) - return does_resource_hint_request_violate_policy(realm, request, policy); + return does_resource_hint_request_violate_policy(heap, request, policy); // 2. Let violates be "Does Not Violate". GC::Ptr violates; @@ -55,7 +55,7 @@ namespace Web::ContentSecurityPolicy { // 3. For each directive of policy: for (auto directive : policy->directives()) { // 1. Let result be the result of executing directive’s pre-request check on request and policy. - auto result = directive->pre_request_check(realm, request, policy); + auto result = directive->pre_request_check(heap, request, policy); // 2. If result is "Blocked", then let violates be directive. if (result == Directives::Directive::Result::Blocked) { @@ -80,7 +80,7 @@ void report_content_security_policy_violations_for_request(JS::Realm& realm, GC: continue; // 2. Let violates be the result of executing § 6.7.2.1 Does request violate policy? on request and policy. - auto violates = does_request_violate_policy(realm, request, policy); + auto violates = does_request_violate_policy(realm.heap(), request, policy); // 3. If violates is not "Does Not Violate", then execute § 5.5 Report a violation on the result of executing // § 2.4.2 Create a violation object for request, and policy. on request, and policy. @@ -107,7 +107,7 @@ Directives::Directive::Result should_request_be_blocked_by_content_security_poli continue; // 2. Let violates be the result of executing § 6.7.2.1 Does request violate policy? on request and policy. - auto violates = does_request_violate_policy(realm, request, policy); + auto violates = does_request_violate_policy(realm.heap(), request, policy); // 3. If violates is not "Does Not Violate", then: if (violates) { @@ -141,7 +141,7 @@ Directives::Directive::Result should_response_to_request_be_blocked_by_content_s // 1. For each directive of policy: for (auto directive : policy->directives()) { // 1. If the result of executing directive’s post-request check is "Blocked", then: - if (directive->post_request_check(realm, request, response, policy) == Directives::Directive::Result::Blocked) { + if (directive->post_request_check(realm.heap(), request, response, policy) == Directives::Directive::Result::Blocked) { // 1. Execute § 5.5 Report a violation on the result of executing § 2.4.2 Create a violation object for // request, and policy. on request, and policy. auto violation = Violation::create_a_violation_object_for_request_and_policy(realm, request, policy); @@ -218,7 +218,7 @@ Directives::Directive::Result should_navigation_request_of_type_be_blocked_by_co // spec operation to serialize the URL. auto& realm = navigation_request->client()->realm(); auto serialized_url = navigation_request->current_url().to_string(); - if (directive->inline_check(realm, nullptr, Directives::Directive::InlineType::Navigation, policy, serialized_url) == Directives::Directive::Result::Allowed) + if (directive->inline_check(realm.heap(), nullptr, Directives::Directive::InlineType::Navigation, policy, serialized_url) == Directives::Directive::Result::Allowed) continue; // 3. Otherwise, let violation be the result of executing § 2.4.1 Create a violation object for global, diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/Directive.h b/Libraries/LibWeb/ContentSecurityPolicy/Directives/Directive.h index 38bc90bd666..82ba06c1623 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/Directive.h +++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/Directive.h @@ -52,20 +52,20 @@ public: // 1. A pre-request check, which takes a request and a policy as an argument, and is executed during // § 4.1.2 Should request be blocked by Content Security Policy?. This algorithm returns "Allowed" // unless otherwise specified. - [[nodiscard]] virtual Result pre_request_check(JS::Realm&, GC::Ref, GC::Ref) const { return Result::Allowed; } + [[nodiscard]] virtual Result pre_request_check(GC::Heap&, GC::Ref, GC::Ref) const { return Result::Allowed; } // https://w3c.github.io/webappsec-csp/#directive-post-request-check // 2. A post-request check, which takes a request, a response, and a policy as arguments, and is executed during // § 4.1.3 Should response to request be blocked by Content Security Policy?. This algorithm returns "Allowed" // unless otherwise specified. - [[nodiscard]] virtual Result post_request_check(JS::Realm&, GC::Ref, GC::Ref, GC::Ref) const { return Result::Allowed; } + [[nodiscard]] virtual Result post_request_check(GC::Heap&, GC::Ref, GC::Ref, GC::Ref) const { return Result::Allowed; } // https://w3c.github.io/webappsec-csp/#directive-inline-check // 3. An inline check, which takes an Element, a type string, a policy, and a source string as arguments, and is // executed during § 4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? and // during § 4.2.4 Should navigation request of type be blocked by Content Security Policy? for javascript: // requests. This algorithm returns "Allowed" unless otherwise specified. - [[nodiscard]] virtual Result inline_check(JS::Realm&, GC::Ptr, InlineType, GC::Ref, String const&) const { return Result::Allowed; } + [[nodiscard]] virtual Result inline_check(GC::Heap&, GC::Ptr, InlineType, GC::Ref, String const&) const { return Result::Allowed; } // https://w3c.github.io/webappsec-csp/#directive-initialization // 4. An initialization, which takes a Document or global object and a policy as arguments. This algorithm is