mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-09-18 15:32:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibWeb: Enforce Content Security Policy on navigation request/response
Some checks are pending
CI / Lagom (x86_64, Fuzzers_CI, false, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Details
CI / Lagom (arm64, Sanitizer_CI, false, macos-15, macOS, Clang) (push) Waiting to run
Details
CI / Lagom (x86_64, Sanitizer_CI, false, ubuntu-24.04, Linux, GNU) (push) Waiting to run
Details
CI / Lagom (x86_64, Sanitizer_CI, true, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Details
Package the js repl as a binary artifact / build-and-package (macos-14, macOS, macOS-universal2) (push) Waiting to run
Details
Package the js repl as a binary artifact / build-and-package (ubuntu-24.04, Linux, Linux-x86_64) (push) Waiting to run
Details
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Details
Lint Code / lint (push) Waiting to run
Details
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Details
Push notes / build (push) Waiting to run
Details

Browse source
This commit is contained in:
Luke Wilde 2024-11-25 17:50:37 +00:00 committed by Alexander Kalenik
commit 278666edcd
Notes: github-actions[bot] 2025-04-01 02:02:22 +00:00
7 changed files with 256 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

34
Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
View file

@ -190,4 +190,38 @@ ShouldExecute should_fetch_directive_execute(Optional<FlyString> effective_direc
return ShouldExecute::No;
}
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
FlyString get_the_effective_directive_for_inline_checks(Directive::InlineType type)
{
// Spec Note: While the effective directive is only defined for requests, in this algorithm it is used similarly to
// mean the directive that is most relevant to a particular type of inline check.
// Switch on type:
switch (type) {
// "script"
// "navigation"
// Return script-src-elem.
case Directive::InlineType::Script:
case Directive::InlineType::Navigation:
return Names::ScriptSrcElem;
// "script attribute"
// Return script-src-attr.
case Directive::InlineType::ScriptAttribute:
return Names::ScriptSrcAttr;
// "style"
// Return style-src-elem.
case Directive::InlineType::Style:
return Names::StyleSrcElem;
// "style attribute"
// Return style-src-attr.
case Directive::InlineType::StyleAttribute:
return Names::StyleSrcAttr;
}
// 2. Return null.
// FIXME: File spec issue that this should be invalid, as the result of this algorithm ends up being piped into
// Violation's effective directive, which is defined to be a non-empty string.
VERIFY_NOT_REACHED();
}
}

3
Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h
View file

@ -8,6 +8,7 @@
#include <AK/StringView.h>
#include <LibGC/Ptr.h>
#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
#include <LibWeb/Forward.h>
namespace Web::ContentSecurityPolicy::Directives {
@ -21,4 +22,6 @@ enum class ShouldExecute {
[[nodiscard]] Vector<StringView> get_fetch_directive_fallback_list(Optional<FlyString> directive_name);
[[nodiscard]] ShouldExecute should_fetch_directive_execute(Optional<FlyString> effective_directive_name, FlyString const& directive_name, GC::Ref<Policy const> policy);
[[nodiscard]] FlyString get_the_effective_directive_for_inline_checks(Directive::InlineType type);
}