LibWeb: Implement integrity-metadata part of fetch algorithm

Specifically, this makes `<link>` elements with an `integrity` attribute actually work. Previously, we would load their resource, and then drop it on the floor without actually using it. The Subresource Integrity code is in `LibWeb/SRI`, since SRI is the name of the recommendation spec: https://www.w3.org/TR/SRI/ However, the Fetch spec links to the editor's draft, which varies significantly from the recommendation, and so that is what the code is based on and what the spec comments link to: https://w3c.github.io/webappsec-subresource-integrity/ Fixes #18408
Author: https://github.com/AtkinsSJ Commit: 22e0603bf7 Pull-request: https://github.com/SerenityOS/serenity/pull/18441 Reviewed-by: https://github.com/linusg Reviewed-by: https://github.com/nico Reviewed-by: https://github.com/trflynn89
2025-09-10 11:36:22 +00:00 · 2023-04-20 16:52:01 +01:00 · 2023-04-20 16:52:01 +01:00 · 22e0603bf7 · 2024-07-17 08:55:54 +09:00
commit 22e0603bf7
parent 6d93e03211
4 changed files with 244 additions and 8 deletions
--- a/Userland/Libraries/LibWeb/SRI/SRI.h
+++ b/Userland/Libraries/LibWeb/SRI/SRI.h
@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2023, Sam Atkins <atkinssj@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/String.h>
+
+namespace Web::SRI {
+
+// https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata
+struct Metadata {
+    String algorithm;    // "alg"
+    String base64_value; // "val"
+    String options {};   // "opt"
+};
+
+ErrorOr<String> apply_algorithm_to_bytes(StringView algorithm, ByteBuffer const& bytes);
+ErrorOr<Vector<Metadata>> parse_metadata(StringView metadata);
+ErrorOr<Vector<Metadata>> get_strongest_metadata_from_set(Vector<Metadata> const& set);
+ErrorOr<bool> do_bytes_match_metadata_list(ByteBuffer const& bytes, StringView metadata_list);
+
+}