mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-29 12:19:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

LibWeb: Report CSP violations for request

Browse source
This commit is contained in:
Luke Wilde 2024-11-28 11:57:04 +00:00 committed by Alexander Kalenik
commit 51796e2d3a
Notes: github-actions[bot] 2025-03-18 23:56:12 +00:00
3 changed files with 28 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

24
Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp
View file

@ -65,6 +65,30 @@ namespace Web::ContentSecurityPolicy {
return violates; return violates;
} }
// https://w3c.github.io/webappsec-csp/#report-for-request
void report_content_security_policy_violations_for_request(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request)
{
// 1. Let CSP list be requests policy container's CSP list.
auto csp_list = request->policy_container().get<GC::Ref<HTML::PolicyContainer>>()->csp_list;
// 2. For each policy of CSP list:
for (auto policy : csp_list->policies()) {
// 1. If policys disposition is "enforce", then skip to the next policy.
if (policy->disposition() == Policy::Disposition::Enforce)
continue;
// 2. Let violates be the result of executing § 6.7.2.1 Does request violate policy? on request and policy.
auto violates = does_request_violate_policy(realm, request, policy);
// 3. If violates is not "Does Not Violate", then execute § 5.5 Report a violation on the result of executing
// § 2.4.2 Create a violation object for request, and policy. on request, and policy.
if (violates) {
auto violation = Violation::create_a_violation_object_for_request_and_policy(realm, request, policy);
violation->report_a_violation(realm);
}
}
}
Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request) Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request)
{ {
// 1. Let CSP list be requests policy container's CSP list. // 1. Let CSP list be requests policy container's CSP list.

1
Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h
View file

@ -10,6 +10,7 @@
namespace Web::ContentSecurityPolicy { namespace Web::ContentSecurityPolicy {
void report_content_security_policy_violations_for_request(JS::Realm&, GC::Ref<Fetch::Infrastructure::Request>);
[[nodiscard]] Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm&, GC::Ref<Fetch::Infrastructure::Request>); [[nodiscard]] Directives::Directive::Result should_request_be_blocked_by_content_security_policy(JS::Realm&, GC::Ref<Fetch::Infrastructure::Request>);
} }

4
Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
View file

@ -286,7 +286,9 @@ WebIDL::ExceptionOr<GC::Ptr<PendingResponse>> main_fetch(JS::Realm& realm, Infra
if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url())) if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url()))
response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"sv); response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"sv);
// FIXME: 4. Run report Content Security Policy violations for request. // 4. Run report Content Security Policy violations for request.
ContentSecurityPolicy::report_content_security_policy_violations_for_request(realm, request);
// FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate. // FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate.
// 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate. // 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.