LibWeb/CSP: Introduce the ability to create and report a violation

A violation provides several details about an enforcement failing, such as the URL of the document, the directive that returned "Blocked", etc.
Author: https://github.com/Lubrsi Commit: 86170f4bfd Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3972
2025-09-20 16:28:54 +00:00 · 2024-11-25 17:22:08 +00:00 · 2024-11-25 17:22:08 +00:00 · 86170f4bfd · 2025-03-18 23:56:26 +00:00
commit 86170f4bfd
parent 02236be737
12 changed files with 982 additions and 0 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/Policy.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Policy.h
@ -46,8 +46,10 @@ public:
    [[nodiscard]] Disposition disposition() const { return m_disposition; }
    [[nodiscard]] Source source() const { return m_source; }
    [[nodiscard]] URL::Origin const& self_origin() const { return m_self_origin; }
+    [[nodiscard]] String const& pre_parsed_policy_string(Badge<Violation>) const { return m_pre_parsed_policy_string; }

    [[nodiscard]] bool contains_directive_with_name(StringView name) const;
+    [[nodiscard]] GC::Ptr<Directives::Directive> get_directive_by_name(StringView) const;

    [[nodiscard]] GC::Ref<Policy> clone(JS::Realm&) const;
    [[nodiscard]] SerializedPolicy serialize() const;
@ -77,6 +79,12 @@ private:
    //            their policy but have an opaque origin. Most of the time this will simply be the environment settings
    //            object’s origin.
    URL::Origin m_self_origin;
+
+    // This is used for reporting which policy was violated. It's not exactly specified, only linking to an ABNF grammar
+    // definition. WebKit and Blink return the original string that was parsed, whereas Firefox seems to try and return
+    // a nice serialization of what it parsed. For simplicity and wider compatibility, we follow what WebKit and Blink
+    // do.
+    String m_pre_parsed_policy_string;
 };

 }