LibWeb/CSP: Implement the connect-src directive

Author: https://github.com/Lubrsi Commit: 959bb5cc18 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5276 Reviewed-by: https://github.com/shannonbooth ✅
2025-07-31 13:19:05 +00:00 · 2024-11-28 16:35:12 +00:00 · 2024-11-28 16:35:12 +00:00 · 959bb5cc18 · 2025-07-05 09:23:11 +00:00
commit 959bb5cc18
parent 203c2a6b30
7 changed files with 124 additions and 0 deletions
--- a/Libraries/LibWeb/CMakeLists.txt
+++ b/Libraries/LibWeb/CMakeLists.txt
@ -36,6 +36,7 @@ set(SOURCES
    Compression/CompressionStream.cpp
    Compression/DecompressionStream.cpp
    ContentSecurityPolicy/BlockingAlgorithms.cpp
+    ContentSecurityPolicy/Directives/ConnectSourceDirective.cpp
    ContentSecurityPolicy/Directives/Directive.cpp
    ContentSecurityPolicy/Directives/DirectiveFactory.cpp
    ContentSecurityPolicy/Directives/DirectiveOperations.cpp
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.cpp
@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(ConnectSourceDirective);
+
+ConnectSourceDirective::ConnectSourceDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+// https://w3c.github.io/webappsec-csp/#connect-src-pre-request
+Directive::Result ConnectSourceDirective::pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, connect-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ConnectSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.5 Does request match source list? on request, this directive’s value,
+    //    and policy, is "Does Not Match", return "Blocked".
+    if (does_request_match_source_list(request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 4. Return "Allowed".
+    return Result::Allowed;
+}
+
+// https://w3c.github.io/webappsec-csp/#connect-src-post-request
+Directive::Result ConnectSourceDirective::post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, connect-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ConnectSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.6 Does response to request match source list? on response, request, this
+    //    directive’s value, and policy, is "Does Not Match", return "Blocked".
+    if (does_response_match_source_list(response, request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 4. Return "Allowed".
+    return Result::Allowed;
+}
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h
@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-connect-src
+class ConnectSourceDirective final : public Directive {
+    GC_CELL(ConnectSourceDirective, Directive)
+    GC_DECLARE_ALLOCATOR(ConnectSourceDirective);
+
+public:
+    virtual ~ConnectSourceDirective() = default;
+
+    [[nodiscard]] virtual Result pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Policy const>) const override;
+    [[nodiscard]] virtual Result post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Fetch::Infrastructure::Response const>, GC::Ref<Policy const>) const override;
+
+private:
+    ConnectSourceDirective(String name, Vector<String> value);
+};
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
@ -5,13 +5,18 @@
 */

 #include <LibJS/Runtime/Realm.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>

 namespace Web::ContentSecurityPolicy::Directives {

 GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String> value)
 {
+    if (name == Names::ConnectSrc)
+        return heap.allocate<ConnectSourceDirective>(move(name), move(value));
+
    return heap.allocate<Directive>(move(name), move(value));
 }

--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
@ -13,6 +13,7 @@
 #include <LibWeb/ContentSecurityPolicy/Directives/SourceExpression.h>
 #include <LibWeb/DOMURL/DOMURL.h>
 #include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
 #include <LibWeb/Fetch/Infrastructure/URL.h>
 #include <LibWeb/Infra/Strings.h>

@ -579,4 +580,28 @@ MatchResult does_url_match_source_list_in_origin_with_redirect_count(URL::URL co
    return MatchResult::DoesNotMatch;
 }

+// https://w3c.github.io/webappsec-csp/#match-request-to-source-list
+MatchResult does_request_match_source_list(GC::Ref<Fetch::Infrastructure::Request const> request, Vector<String> const& source_list, GC::Ref<Policy const> policy)
+{
+    // Given a request request, a source list source list, and a policy policy, this algorithm returns the result of
+    // executing § 6.7.2.7 Does url match source list in origin with redirect count? on request’s current url, source
+    // list, policy’s self-origin, and request’s redirect count.
+    // Spec Note: This is generally used in directives' pre-request check algorithms to verify that a given request is
+    //            reasonable.
+    return does_url_match_source_list_in_origin_with_redirect_count(request->current_url(), source_list, policy->self_origin(), request->redirect_count());
+}
+
+// https://w3c.github.io/webappsec-csp/#match-response-to-source-list
+MatchResult does_response_match_source_list(GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Fetch::Infrastructure::Request const> request, Vector<String> const& source_list, GC::Ref<Policy const> policy)
+{
+    // Given a request request, and a source list source list, and a policy policy, this algorithm returns the result
+    // of executing § 6.7.2.7 Does url match source list in origin with redirect count? on response’s url, source list,
+    // policy’s self-origin, and request’s redirect count.
+    // Spec Note: This is generally used in directives' post-request check algorithms to verify that a given response
+    //            is reasonable.
+    // FIXME: File spec issue that it does specify to pass in response here.
+    VERIFY(response->url().has_value());
+    return does_url_match_source_list_in_origin_with_redirect_count(response->url().value(), source_list, policy->self_origin(), request->redirect_count());
+}
+
 }
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h
@ -33,4 +33,7 @@ enum class MatchResult {
 [[nodiscard]] MatchResult does_url_match_expression_in_origin_with_redirect_count(URL::URL const& url, String const& expression, URL::Origin const& origin, u8 redirect_count);
 [[nodiscard]] MatchResult does_url_match_source_list_in_origin_with_redirect_count(URL::URL const& url, Vector<String> const& source_list, URL::Origin const& origin, u8 redirect_count);

+[[nodiscard]] MatchResult does_request_match_source_list(GC::Ref<Fetch::Infrastructure::Request const> request, Vector<String> const& source_list, GC::Ref<Policy const> policy);
+[[nodiscard]] MatchResult does_response_match_source_list(GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Fetch::Infrastructure::Request const> request, Vector<String> const& source_list, GC::Ref<Policy const> policy);
+
 }
--- a/Libraries/LibWeb/Forward.h
+++ b/Libraries/LibWeb/Forward.h
@ -130,6 +130,7 @@ struct SerializedPolicy;

 namespace Web::ContentSecurityPolicy::Directives {

+class ConnectSourceDirective;
 class Directive;
 struct SerializedDirective;