LibWeb: Enforce Content Security Policy of Fetch responses

Author: https://github.com/Lubrsi Commit: 7643a079c0 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3972
2025-05-03 01:38:52 +00:00 · 2024-11-28 12:30:36 +00:00 · 2024-11-28 12:30:36 +00:00 · 7643a079c0 · 2025-03-18 23:56:07 +00:00
commit 7643a079c0
parent 51796e2d3a
3 changed files with 38 additions and 2 deletions
--- a/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
+++ b/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
@ -528,8 +528,8 @@ WebIDL::ExceptionOr<GC::Ptr<PendingResponse>> main_fetch(JS::Realm& realm, Infra
            if (!response->is_network_error() && (
                    // - should internalResponse to request be blocked as mixed content
                    MixedContent::should_response_to_request_be_blocked_as_mixed_content(request, internal_response) == Infrastructure::RequestOrResponseBlocking::Blocked
-                    // FIXME: - should internalResponse to request be blocked by Content Security Policy
-                    || false
+                    // - should internalResponse to request be blocked by Content Security Policy
+                    || ContentSecurityPolicy::should_response_to_request_be_blocked_by_content_security_policy(realm, internal_response, request) == ContentSecurityPolicy::Directives::Directive::Result::Blocked
                    // - should internalResponse to request be blocked due to its MIME type
                    || Infrastructure::should_response_to_request_be_blocked_due_to_its_mime_type(internal_response, request) == Infrastructure::RequestOrResponseBlocking::Blocked
                    // - should internalResponse to request be blocked due to nosniff