LibWeb: Enforce Content Security Policy on Fetch requests

Author: https://github.com/Lubrsi Commit: 6f771f45e2 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3972
2025-07-06 17:11:51 +00:00 · 2024-11-25 17:29:27 +00:00 · 2024-11-25 17:29:27 +00:00 · 6f771f45e2 · 2025-03-18 23:56:19 +00:00
commit 6f771f45e2
parent 86170f4bfd
5 changed files with 122 additions and 2 deletions
--- a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@ -15,6 +15,7 @@
 #include <LibRequests/RequestTimingInfo.h>
 #include <LibWeb/Bindings/MainThreadVM.h>
 #include <LibWeb/Bindings/PrincipalHostDefined.h>
+#include <LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h>
 #include <LibWeb/Cookie/Cookie.h>
 #include <LibWeb/DOM/Document.h>
 #include <LibWeb/DOMURL/DOMURL.h>
@ -295,8 +296,7 @@ WebIDL::ExceptionOr<GC::Ptr<PendingResponse>> main_fetch(JS::Realm& realm, Infra
    //    should request be blocked by Content Security Policy returns blocked, then set response to a network error.
    if (Infrastructure::block_bad_port(request) == Infrastructure::RequestOrResponseBlocking::Blocked
        || MixedContent::should_fetching_request_be_blocked_as_mixed_content(request) == Infrastructure::RequestOrResponseBlocking::Blocked
-        || false // FIXME: "should request be blocked by Content Security Policy returns blocked"
-    ) {
+        || ContentSecurityPolicy::should_request_be_blocked_by_content_security_policy(realm, request) == ContentSecurityPolicy::Directives::Directive::Result::Blocked) {
        response = Infrastructure::Response::network_error(vm, "Request was blocked"sv);
    }