LibWeb/CSP: Implement the style-src directive

Author: https://github.com/Lubrsi Commit: 8b0b3b186f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5490 Reviewed-by: https://github.com/shannonbooth ✅
2025-07-29 12:19:54 +00:00 · 2024-12-03 16:57:18 +00:00 · 2024-12-03 16:57:18 +00:00 · 8b0b3b186f · 2025-07-17 23:59:22 +00:00
commit 8b0b3b186f
parent d1abd11b78
6 changed files with 130 additions and 1 deletions
--- a/Libraries/LibWeb/CMakeLists.txt
+++ b/Libraries/LibWeb/CMakeLists.txt
@ -60,6 +60,7 @@ set(SOURCES
    ContentSecurityPolicy/Directives/ScriptSourceElementDirective.cpp
    ContentSecurityPolicy/Directives/SerializedDirective.cpp
    ContentSecurityPolicy/Directives/SourceExpression.cpp
+    ContentSecurityPolicy/Directives/StyleSourceDirective.cpp
    ContentSecurityPolicy/Policy.cpp
    ContentSecurityPolicy/PolicyList.cpp
    ContentSecurityPolicy/SecurityPolicyViolationEvent.cpp
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
@ -18,6 +18,7 @@
 #include <LibWeb/ContentSecurityPolicy/Directives/ScriptSourceAttributeDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ScriptSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ScriptSourceElementDirective.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.h>

 namespace Web::ContentSecurityPolicy::Directives {

@ -53,6 +54,9 @@ GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String>
    if (name == Names::ScriptSrcElem)
        return heap.allocate<ScriptSourceElementDirective>(move(name), move(value));

+    if (name == Names::StyleSrc)
+        return heap.allocate<StyleSourceDirective>(move(name), move(value));
+
    return heap.allocate<Directive>(move(name), move(value));
 }

--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.cpp
@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(StyleSourceDirective);
+
+StyleSourceDirective::StyleSourceDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+// https://w3c.github.io/webappsec-csp/#style-src-pre-request
+Directive::Result StyleSourceDirective::pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, style-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::StyleSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.3 Does nonce match source list? on request’s cryptographic nonce metadata
+    //    and this directive’s value is "Matches", return "Allowed".
+    if (does_nonce_match_source_list(request->cryptographic_nonce_metadata(), value()) == MatchResult::Matches)
+        return Result::Allowed;
+
+    // 4. If the result of executing § 6.7.2.5 Does request match source list? on request, this directive’s value, and
+    //    policy, is "Does Not Match", return "Blocked".
+    if (does_request_match_source_list(request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 5. Return "Allowed".
+    return Result::Allowed;
+}
+
+// https://w3c.github.io/webappsec-csp/#style-src-post-request
+Directive::Result StyleSourceDirective::post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, style-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::StyleSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.3 Does nonce match source list? on request’s cryptographic nonce metadata
+    //    and this directive’s value is "Matches", return "Allowed".
+    if (does_nonce_match_source_list(request->cryptographic_nonce_metadata(), value()) == MatchResult::Matches)
+        return Result::Allowed;
+
+    // 4. If the result of executing § 6.7.2.6 Does response to request match source list? on response, request, this
+    //    directive’s value, and policy, is "Does Not Match", return "Blocked".
+    if (does_response_match_source_list(response, request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 5. Return "Allowed".
+    return Result::Allowed;
+}
+
+// https://w3c.github.io/webappsec-csp/#style-src-inline
+Directive::Result StyleSourceDirective::inline_check(GC::Heap&, GC::Ptr<DOM::Element const> element, InlineType type, GC::Ref<Policy const> policy, String const& source) const
+{
+    // 1. Let name be the result of executing § 6.8.2 Get the effective directive for inline checks on type.
+    auto name = get_the_effective_directive_for_inline_checks(type);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, style-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::StyleSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.3.3 Does element match source list for type and source? on element, this
+    //    directive’s value, type, and source, is "Does Not Match", return "Blocked".
+    if (does_element_match_source_list_for_type_and_source(element, value(), type, source) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 4. Return "Allowed".
+    return Result::Allowed;
+}
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceDirective.h
@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-style-src
+class StyleSourceDirective final : public Directive {
+    GC_CELL(StyleSourceDirective, Directive)
+    GC_DECLARE_ALLOCATOR(StyleSourceDirective);
+
+public:
+    virtual ~StyleSourceDirective() = default;
+
+    virtual Result pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Policy const>) const override;
+    virtual Result post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Fetch::Infrastructure::Response const>, GC::Ref<Policy const>) const override;
+    virtual Result inline_check(GC::Heap&, GC::Ptr<DOM::Element const>, InlineType, GC::Ref<Policy const>, String const&) const override;
+
+private:
+    StyleSourceDirective(String name, Vector<String> value);
+};
+
+}
--- a/Libraries/LibWeb/DOM/StyleElementUtils.cpp
+++ b/Libraries/LibWeb/DOM/StyleElementUtils.cpp
@ -6,6 +6,7 @@

 #include <LibWeb/CSS/Parser/Parser.h>
 #include <LibWeb/CSS/StyleComputer.h>
+#include <LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h>
 #include <LibWeb/DOM/Document.h>
 #include <LibWeb/DOM/ShadowRoot.h>
 #include <LibWeb/DOM/StyleElementUtils.h>
@ -50,7 +51,9 @@ void StyleElementUtils::update_a_style_block(DOM::Element& style_element)
    if (type_attribute.has_value() && !type_attribute->is_empty() && !type_attribute->bytes_as_string_view().equals_ignoring_ascii_case("text/css"sv))
        return;

-    // FIXME: 5. If the Should element's inline behavior be blocked by Content Security Policy? algorithm returns "Blocked" when executed upon the style element, "style", and the style element's child text content, then return. [CSP]
+    // 5. If the Should element's inline behavior be blocked by Content Security Policy? algorithm returns "Blocked" when executed upon the style element, "style", and the style element's child text content, then return. [CSP]
+    if (ContentSecurityPolicy::should_elements_inline_type_behavior_be_blocked_by_content_security_policy(style_element.realm(), style_element, ContentSecurityPolicy::Directives::Directive::InlineType::Style, style_element.child_text_content()) == ContentSecurityPolicy::Directives::Directive::Result::Blocked)
+        return;

    // 6. Create a CSS style sheet with the following properties:
    //        type
--- a/Libraries/LibWeb/Forward.h
+++ b/Libraries/LibWeb/Forward.h
@ -143,6 +143,7 @@ class ObjectSourceDirective;
 class ScriptSourceAttributeDirective;
 class ScriptSourceDirective;
 class ScriptSourceElementDirective;
+class StyleSourceDirective;
 struct SerializedDirective;

 }