LibWeb: Create policy containers from responses and then run CSP init

This allows us to parse the Content-Security-Policy header and Referrer-Policy header from navigation responses and actually allow them to start having an effect.
Author: https://github.com/Lubrsi Commit: 819bff9ec0 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3805
2025-04-27 06:48:49 +00:00 · 2024-11-25 17:01:26 +00:00 · 2024-11-25 17:01:26 +00:00 · 819bff9ec0 · 2025-03-13 15:20:26 +00:00
commit 819bff9ec0
parent 435f839ced
8 changed files with 113 additions and 6 deletions
--- a/Libraries/LibWeb/HTML/PolicyContainers.cpp
+++ b/Libraries/LibWeb/HTML/PolicyContainers.cpp
@ -9,6 +9,7 @@
 #include <LibURL/URL.h>
 #include <LibWeb/ContentSecurityPolicy/Policy.h>
 #include <LibWeb/ContentSecurityPolicy/PolicyList.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
 #include <LibWeb/Fetch/Infrastructure/URL.h>
 #include <LibWeb/HTML/PolicyContainers.h>
 #include <LibWeb/HTML/SerializedPolicyContainer.h>
@ -34,6 +35,29 @@ bool url_requires_storing_the_policy_container_in_history(URL::URL const& url)
    return Fetch::Infrastructure::is_local_url(url);
 }

+// https://html.spec.whatwg.org/multipage/browsers.html#creating-a-policy-container-from-a-fetch-response
+GC::Ref<PolicyContainer> create_a_policy_container_from_a_fetch_response(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ptr<Environment>)
+{
+    // FIXME: 1. If response's URL's scheme is "blob", then return a clone of response's URL's blob URL entry's
+    //           environment's policy container.
+
+    // 2. Let result be a new policy container.
+    GC::Ref<PolicyContainer> result = realm.create<PolicyContainer>(realm);
+
+    // 3. Set result's CSP list to the result of parsing a response's Content Security Policies given response.
+    result->csp_list = ContentSecurityPolicy::Policy::parse_a_responses_content_security_policies(realm, response);
+
+    // FIXME: 4. If environment is non-null, then set result's embedder policy to the result of obtaining an embedder
+    //           policy given response and environment. Otherwise, set it to "unsafe-none".
+
+    // FIXME: 5. Set result's referrer policy to the result of parsing the `Referrer-Policy` header given response.
+    //           [REFERRERPOLICY]
+    //        Doing this currently makes Fetch fail the policy != ReferrerPolicy::EmptyString verification.
+
+    // 6. Return result.
+    return result;
+}
+
 GC::Ref<PolicyContainer> create_a_policy_container_from_serialized_policy_container(JS::Realm& realm, SerializedPolicyContainer const& serialized_policy_container)
 {
    GC::Ref<PolicyContainer> result = realm.create<PolicyContainer>(realm);