diff --git a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp index c3af4811408..6b8bf4cd852 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp +++ b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp @@ -65,6 +65,30 @@ namespace Web::ContentSecurityPolicy { return violates; } +// https://w3c.github.io/webappsec-csp/#report-for-request +void report_content_security_policy_violations_for_request(JS::Realm& realm, GC::Ref request) +{ + // 1. Let CSP list be request’s policy container's CSP list. + auto csp_list = request->policy_container().get>()->csp_list; + + // 2. For each policy of CSP list: + for (auto policy : csp_list->policies()) { + // 1. If policy’s disposition is "enforce", then skip to the next policy. + if (policy->disposition() == Policy::Disposition::Enforce) + continue; + + // 2. Let violates be the result of executing § 6.7.2.1 Does request violate policy? on request and policy. + auto violates = does_request_violate_policy(realm, request, policy); + + // 3. If violates is not "Does Not Violate", then execute § 5.5 Report a violation on the result of executing + // § 2.4.2 Create a violation object for request, and policy. on request, and policy. + if (violates) { + auto violation = Violation::create_a_violation_object_for_request_and_policy(realm, request, policy); + violation->report_a_violation(realm); + } + } +} + Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm& realm, GC::Ref request) { // 1. Let CSP list be request’s policy container's CSP list. diff --git a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h index 572d0e8e630..019526fd837 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h +++ b/Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h @@ -10,6 +10,7 @@ namespace Web::ContentSecurityPolicy { +void report_content_security_policy_violations_for_request(JS::Realm&, GC::Ref); [[nodiscard]] Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm&, GC::Ref); } diff --git a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp index 47663360a4f..66a8d0dc2cc 100644 --- a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp +++ b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp @@ -286,7 +286,9 @@ WebIDL::ExceptionOr> main_fetch(JS::Realm& realm, Infra if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url())) response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"sv); - // FIXME: 4. Run report Content Security Policy violations for request. + // 4. Run report Content Security Policy violations for request. + ContentSecurityPolicy::report_content_security_policy_violations_for_request(realm, request); + // FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate. // 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.