From 8e999bca623c34fb74f2c6ff0cc38efb1d7aa337 Mon Sep 17 00:00:00 2001 From: Luke Wilde Date: Tue, 3 Dec 2024 17:27:12 +0000 Subject: [PATCH] LibWeb/CSP: Implement the style-src-attr directive --- Libraries/LibWeb/CMakeLists.txt | 1 + .../Directives/DirectiveFactory.cpp | 4 ++ .../StyleSourceAttributeDirective.cpp | 41 +++++++++++++++++++ .../StyleSourceAttributeDirective.h | 27 ++++++++++++ Libraries/LibWeb/Forward.h | 1 + 5 files changed, 74 insertions(+) create mode 100644 Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.cpp create mode 100644 Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.h diff --git a/Libraries/LibWeb/CMakeLists.txt b/Libraries/LibWeb/CMakeLists.txt index d62e4dbaf11..26d4d4f9221 100644 --- a/Libraries/LibWeb/CMakeLists.txt +++ b/Libraries/LibWeb/CMakeLists.txt @@ -60,6 +60,7 @@ set(SOURCES ContentSecurityPolicy/Directives/ScriptSourceElementDirective.cpp ContentSecurityPolicy/Directives/SerializedDirective.cpp ContentSecurityPolicy/Directives/SourceExpression.cpp + ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.cpp ContentSecurityPolicy/Directives/StyleSourceDirective.cpp ContentSecurityPolicy/Directives/StyleSourceElementDirective.cpp ContentSecurityPolicy/Policy.cpp diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp index d41d56e4fa9..35616319dfb 100644 --- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp +++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -55,6 +56,9 @@ GC::Ref create_directive(GC::Heap& heap, String name, Vector if (name == Names::ScriptSrcElem) return heap.allocate(move(name), move(value)); + if (name == Names::StyleSrcAttr) + return heap.allocate(move(name), move(value)); + if (name == Names::StyleSrc) return heap.allocate(move(name), move(value)); diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.cpp b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.cpp new file mode 100644 index 00000000000..1c27fd469c8 --- /dev/null +++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.cpp @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2024, Luke Wilde + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#include +#include +#include +#include + +namespace Web::ContentSecurityPolicy::Directives { + +GC_DEFINE_ALLOCATOR(StyleSourceAttributeDirective); + +StyleSourceAttributeDirective::StyleSourceAttributeDirective(String name, Vector value) + : Directive(move(name), move(value)) +{ +} + +// https://w3c.github.io/webappsec-csp/#style-src-attr-inline +Directive::Result StyleSourceAttributeDirective::inline_check(GC::Heap&, GC::Ptr element, InlineType type, GC::Ref policy, String const& source) const +{ + // 1. Let name be the result of executing § 6.8.2 Get the effective directive for inline checks on type. + auto name = get_the_effective_directive_for_inline_checks(type); + + // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, style-src-attr and policy is "No", + // return "Allowed". + if (should_fetch_directive_execute(name, Names::StyleSrcAttr, policy) == ShouldExecute::No) + return Result::Allowed; + + // 3. If the result of executing § 6.7.3.3 Does element match source list for type and source? on element, this + // directive’s value, type, and source, is "Does Not Match", return "Blocked". + if (does_element_match_source_list_for_type_and_source(element, value(), type, source) == MatchResult::DoesNotMatch) + return Result::Blocked; + + // 4. Return "Allowed". + return Result::Allowed; +} + +} diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.h b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.h new file mode 100644 index 00000000000..dbd92ebf396 --- /dev/null +++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/StyleSourceAttributeDirective.h @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2024, Luke Wilde + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#pragma once + +#include + +namespace Web::ContentSecurityPolicy::Directives { + +// https://w3c.github.io/webappsec-csp/#directive-style-src-attr +class StyleSourceAttributeDirective final : public Directive { + GC_CELL(StyleSourceAttributeDirective, Directive) + GC_DECLARE_ALLOCATOR(StyleSourceAttributeDirective); + +public: + virtual ~StyleSourceAttributeDirective() = default; + + virtual Result inline_check(GC::Heap&, GC::Ptr, InlineType, GC::Ref, String const&) const override; + +private: + StyleSourceAttributeDirective(String name, Vector value); +}; + +} diff --git a/Libraries/LibWeb/Forward.h b/Libraries/LibWeb/Forward.h index b54621aeb7e..ca33f5d6b5e 100644 --- a/Libraries/LibWeb/Forward.h +++ b/Libraries/LibWeb/Forward.h @@ -143,6 +143,7 @@ class ObjectSourceDirective; class ScriptSourceAttributeDirective; class ScriptSourceDirective; class ScriptSourceElementDirective; +class StyleSourceAttributeDirective; class StyleSourceDirective; class StyleSourceElementDirective; struct SerializedDirective;