LibWeb: Report CSP violations for request

Author: https://github.com/Lubrsi Commit: https://github.com/LadybirdBrowser/ladybird/commit/51796e2d3a7 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3972
2025-04-20 19:45:12 +00:00 · 2024-11-28 11:57:04 +00:00 · 2024-11-28 11:57:04 +00:00 · 51796e2d3a · 2025-03-18 23:56:12 +00:00
commit 51796e2d3a
parent 6f771f45e2
3 changed files with 28 additions and 1 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp
@ -65,6 +65,30 @@ namespace Web::ContentSecurityPolicy {
    return violates;
 }

+// https://w3c.github.io/webappsec-csp/#report-for-request
+void report_content_security_policy_violations_for_request(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request)
+{
+    // 1. Let CSP list be request’s policy container's CSP list.
+    auto csp_list = request->policy_container().get<GC::Ref<HTML::PolicyContainer>>()->csp_list;
+
+    // 2. For each policy of CSP list:
+    for (auto policy : csp_list->policies()) {
+        // 1. If policy’s disposition is "enforce", then skip to the next policy.
+        if (policy->disposition() == Policy::Disposition::Enforce)
+            continue;
+
+        // 2. Let violates be the result of executing § 6.7.2.1 Does request violate policy? on request and policy.
+        auto violates = does_request_violate_policy(realm, request, policy);
+
+        // 3. If violates is not "Does Not Violate", then execute § 5.5 Report a violation on the result of executing
+        //    § 2.4.2 Create a violation object for request, and policy. on request, and policy.
+        if (violates) {
+            auto violation = Violation::create_a_violation_object_for_request_and_policy(realm, request, policy);
+            violation->report_a_violation(realm);
+        }
+    }
+}
+
 Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request)
 {
    // 1. Let CSP list be request’s policy container's CSP list.
--- a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h
@ -10,6 +10,7 @@

 namespace Web::ContentSecurityPolicy {

+void report_content_security_policy_violations_for_request(JS::Realm&, GC::Ref<Fetch::Infrastructure::Request>);
 [[nodiscard]] Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm&, GC::Ref<Fetch::Infrastructure::Request>);

 }
--- a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@ -286,7 +286,9 @@ WebIDL::ExceptionOr<GC::Ptr<PendingResponse>> main_fetch(JS::Realm& realm, Infra
    if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url()))
        response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"sv);

-    // FIXME: 4. Run report Content Security Policy violations for request.
+    // 4. Run report Content Security Policy violations for request.
+    ContentSecurityPolicy::report_content_security_policy_violations_for_request(realm, request);
+
    // FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate.

    // 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.