From 941da11ece90b7edc5d7887dde01671bd9052bb0 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <tim.ledbetter@ladybird.org>
Date: Sun, 13 Jul 2025 05:31:12 +0100
Subject: [PATCH] LibWeb: Avoid accessing opaque origin port during CSP checks

---
 .../Directives/DirectiveOperations.cpp        |  2 +-
 .../frame-src-self-unique-origin.txt          |  6 +++
 .../img-src/img-src-self-unique-origin.txt    |  6 +++
 .../frame-src-self-unique-origin.html         | 49 +++++++++++++++++++
 .../img-src/img-src-self-unique-origin.html   | 49 +++++++++++++++++++
 5 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.txt
 create mode 100644 Tests/LibWeb/Text/expected/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.txt
 create mode 100644 Tests/LibWeb/Text/input/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.html
 create mode 100644 Tests/LibWeb/Text/input/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.html

diff --git a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
index 2e3ca49a166..56ffd16e321 100644
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
@@ -541,7 +541,7 @@ MatchResult does_url_match_expression_in_origin_with_redirect_count(URL::URL con
             origin_port = origin.port();
         }
 
-        if (origin_host == url.host() && (origin.port() == url.port() || (origin_port == origin_default_port && url.port() == url_default_port))) {
+        if (origin_host == url.host() && (origin_port == url.port() || (origin_port == origin_default_port && url.port() == url_default_port))) {
             // 1. url’s scheme is "https" or "wss"
             if (url.scheme() == "https"sv || url.scheme() == "wss"sv)
                 return MatchResult::Matches;
diff --git a/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.txt b/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.txt
new file mode 100644
index 00000000000..58bedbbb114
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.txt
@@ -0,0 +1,6 @@
+Harness status: OK
+
+Found 1 tests
+
+1 Pass
+Pass	Iframe's url must not match with 'self'. It must be blocked.
\ No newline at end of file
diff --git a/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.txt b/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.txt
new file mode 100644
index 00000000000..f13cd89cc17
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.txt
@@ -0,0 +1,6 @@
+Harness status: OK
+
+Found 1 tests
+
+1 Pass
+Pass	Image's url must not match with 'self'. Image must be blocked.
\ No newline at end of file
diff --git a/Tests/LibWeb/Text/input/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.html b/Tests/LibWeb/Text/input/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.html
new file mode 100644
index 00000000000..48d67019c99
--- /dev/null
+++ b/Tests/LibWeb/Text/input/wpt-import/content-security-policy/frame-src/frame-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>frame-src-self-unique-origin</title>
+    <script src="../../resources/testharness.js"></script>
+    <script src="../../resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <p>
+        The origin of an URL is called "unique" when it is considered to be
+        different from every origin, including itself. The origin of a
+        data-url is unique. When the current origin is unique, the CSP source
+        'self' must not match any URL.
+    </p>
+    <script>
+        var iframe = document.createElement("iframe");
+        iframe.src = encodeURI(`data:text/html,
+          <script>
+              /* Add the CSP: frame-src: 'self'. */
+              var meta = document.createElement('meta');
+              meta.httpEquiv = 'Content-Security-Policy';
+              meta.content = "frame-src 'self'";
+              document.getElementsByTagName('head')[0].appendChild(meta);
+
+              /* Notify the parent the iframe has been blocked. */
+              window.addEventListener('securitypolicyviolation', e => {
+                  if (e.originalPolicy == "frame-src 'self'")
+                      window.parent.postMessage('Test PASS', '*');
+              });
+          </scr`+`ipt>
+
+          This iframe should be blocked by CSP:
+          <iframe src='data:text/html,blocked_iframe'></iframe>
+        `);
+        if (window.async_test) {
+            async_test(t => {
+                window.addEventListener("message", e => {
+                    if (e.data == "Test PASS")
+                      t.done();
+                });
+            }, "Iframe's url must not match with 'self'. It must be blocked.");
+        }
+        document.body.appendChild(iframe);
+    </script>
+</body>
+
+</html>
diff --git a/Tests/LibWeb/Text/input/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.html b/Tests/LibWeb/Text/input/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.html
new file mode 100644
index 00000000000..bfb9cd07b72
--- /dev/null
+++ b/Tests/LibWeb/Text/input/wpt-import/content-security-policy/img-src/img-src-self-unique-origin.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>img-src-self-unique-origin</title>
+    <script src="../../resources/testharness.js"></script>
+    <script src="../../resources/testharnessreport.js"></script>
+</head>
+
+<body>
+    <p>
+        The origin of an URL is called "unique" when it is considered to be
+        different from every origin, including itself. The origin of a
+        data-url is unique. When the current origin is unique, the CSP source
+        'self' must not match any URL.
+    </p>
+    <script>
+        var iframe = document.createElement("iframe");
+        iframe.src = encodeURI(`data:text/html,
+          <script>
+              /* Add the CSP: frame-src: 'self'. */
+              var meta = document.createElement('meta');
+              meta.httpEquiv = 'Content-Security-Policy';
+              meta.content = "img-src 'self'";
+              document.getElementsByTagName('head')[0].appendChild(meta);
+
+              /* Notify the parent the image has been blocked. */
+              window.addEventListener('securitypolicyviolation', e => {
+                  if (e.originalPolicy == "img-src 'self'")
+                      window.parent.postMessage('Test PASS', '*');
+              });
+          </scr`+`ipt>
+
+          This image should be blocked by CSP:
+          <img src='data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7'></img>
+        `);
+        if (window.async_test) {
+            async_test(t => {
+                window.addEventListener("message", e => {
+                    if (e.data == "Test PASS")
+                      t.done();
+                });
+            }, "Image's url must not match with 'self'. Image must be blocked.");
+        }
+        document.body.appendChild(iframe);
+    </script>
+</body>
+
+</html>