From 7ce35b75aa52a9c215bd1c59e0c66b51bf23f4eb Mon Sep 17 00:00:00 2001 From: Jamie Mansfield Date: Wed, 29 May 2024 19:40:01 +0100 Subject: [PATCH] LibWeb: Implement should block mixed content response to request --- .../LibWeb/Fetch/Fetching/Fetching.cpp | 4 +-- .../MixedContent/AbstractOperations.cpp | 25 +++++++++++++++++++ .../LibWeb/MixedContent/AbstractOperations.h | 2 ++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp index 222db7178c2..4a0711d23ca 100644 --- a/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp +++ b/Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp @@ -474,8 +474,8 @@ WebIDL::ExceptionOr> main_fetch(JS::Realm& realm, Inf // 19. If response is not a network error and any of the following returns blocked if (!response->is_network_error() && ( - // FIXME: - should internalResponse to request be blocked as mixed content - false + // - should internalResponse to request be blocked as mixed content + MixedContent::should_response_to_request_be_blocked_as_mixed_content(request, internal_response) == Infrastructure::RequestOrResponseBlocking::Blocked // FIXME: - should internalResponse to request be blocked by Content Security Policy || false // - should internalResponse to request be blocked due to its MIME type diff --git a/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp b/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp index 73acf022d72..ae3e63580e7 100644 --- a/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp +++ b/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp @@ -4,6 +4,7 @@ * SPDX-License-Identifier: BSD-2-Clause */ +#include #include #include #include @@ -88,4 +89,28 @@ Fetch::Infrastructure::RequestOrResponseBlocking should_fetching_request_be_bloc return Fetch::Infrastructure::RequestOrResponseBlocking::Blocked; } +// https://w3c.github.io/webappsec-mixed-content/#should-block-response +Web::Fetch::Infrastructure::RequestOrResponseBlocking should_response_to_request_be_blocked_as_mixed_content(Fetch::Infrastructure::Request& request, JS::NonnullGCPtr& response) +{ + // 1. Return allowed if one or more of the following conditions are met: + if ( + // 1. § 4.3 Does settings prohibit mixed security contexts? returns Does Not Restrict Mixed Content when applied to request’s client. + does_settings_prohibit_mixed_security_contexts(request.client()) == ProhibitsMixedSecurityContexts::DoesNotRestrictMixedSecurityContexts + + // 2. response’s url is a potentially trustworthy URL. + || (response->url().has_value() && SecureContexts::is_url_potentially_trustworthy(response->url().value()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy) + + // FIXME: 3. The user agent has been instructed to allow mixed content, as described in § 7.2 User Controls). + || false + + // 4. request’s destination is "document", and request’s target browsing context has no parent browsing context. + || (request.destination() == Fetch::Infrastructure::Request::Destination::Document && !request.client()->target_browsing_context->parent())) { + return Fetch::Infrastructure::RequestOrResponseBlocking::Allowed; + } + + // 2. Return blocked. + dbgln("MixedContent: Blocked '{}' (response to request)", MUST(request.url().to_string())); + return Fetch::Infrastructure::RequestOrResponseBlocking::Blocked; +} + } diff --git a/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.h b/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.h index c46121a16ec..9025c902f38 100644 --- a/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.h +++ b/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.h @@ -23,4 +23,6 @@ ProhibitsMixedSecurityContexts does_settings_prohibit_mixed_security_contexts(JS Fetch::Infrastructure::RequestOrResponseBlocking should_fetching_request_be_blocked_as_mixed_content(Fetch::Infrastructure::Request&); +Fetch::Infrastructure::RequestOrResponseBlocking should_response_to_request_be_blocked_as_mixed_content(Fetch::Infrastructure::Request&, JS::NonnullGCPtr&); + }