mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-01 07:52:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

LibWeb: Enforce Content Security Policy on navigation request/response
Some checks are pending
CI / Lagom (x86_64, Fuzzers_CI, false, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Details
CI / Lagom (arm64, Sanitizer_CI, false, macos-15, macOS, Clang) (push) Waiting to run
Details
CI / Lagom (x86_64, Sanitizer_CI, false, ubuntu-24.04, Linux, GNU) (push) Waiting to run
Details
CI / Lagom (x86_64, Sanitizer_CI, true, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Details
Package the js repl as a binary artifact / build-and-package (macos-14, macOS, macOS-universal2) (push) Waiting to run
Details
Package the js repl as a binary artifact / build-and-package (ubuntu-24.04, Linux, Linux-x86_64) (push) Waiting to run
Details
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Details
Lint Code / lint (push) Waiting to run
Details
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Details
Push notes / build (push) Waiting to run
Details

Browse source
This commit is contained in:
Luke Wilde 2024-11-25 17:50:37 +00:00 committed by Alexander Kalenik
parent 004173f88b
commit 278666edcd
Notes: github-actions[bot] 2025-04-01 02:02:22 +00:00
7 changed files with 256 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

22
Libraries/LibWeb/HTML/NavigationParams.cpp
View file

@ -4,6 +4,8 @@
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
#include <LibWeb/ContentSecurityPolicy/PolicyList.h>
#include <LibWeb/DOM/Document.h>
#include <LibWeb/Fetch/Infrastructure/FetchController.h>
#include <LibWeb/HTML/Navigable.h>
@ -33,17 +35,27 @@ void NonFetchSchemeNavigationParams::visit_edges(Visitor& visitor)
}
// https://html.spec.whatwg.org/multipage/document-lifecycle.html#check-a-navigation-response's-adherence-to-x-frame-options
// FIXME: Add the cspList parameter
bool check_a_navigation_responses_adherence_to_x_frame_options(GC::Ptr<Fetch::Infrastructure::Response> response, Navigable* navigable, URL::Origin destination_origin)
bool check_a_navigation_responses_adherence_to_x_frame_options(GC::Ptr<Fetch::Infrastructure::Response> response, Navigable* navigable, GC::Ref<ContentSecurityPolicy::PolicyList const> csp_list, URL::Origin destination_origin)
{
// 1. If navigable is not a child navigable, then return true.
if (!navigable->parent()) {
return true;
}
// FIXME: 2. For each policy of cspList:
// 1. If policy's disposition is not "enforce", then continue.
// 2. If policy's directive set contains a frame-ancestors directive, then return true.
// 2. For each policy of cspList:
for (auto const policy : csp_list->policies()) {
// 1. If policy's disposition is not "enforce", then continue.
if (policy->disposition() != ContentSecurityPolicy::Policy::Disposition::Enforce)
continue;
// 2. If policy's directive set contains a frame-ancestors directive, then return true.
auto maybe_frame_ancestors = policy->directives().find_if([](auto const& directive) {
return directive->name() == ContentSecurityPolicy::Directives::Names::FrameAncestors;
});
if (!maybe_frame_ancestors.is_end())
return true;
}
// 3. Let rawXFrameOptions be the result of getting, decoding, and splitting `X-Frame-Options` from response's header list.
auto raw_x_frame_options = response->header_list()->get_decode_and_split("X-Frame-Options"sv.bytes());