LibWeb/CSP: Implement the default-src directive

Author: https://github.com/Lubrsi Commit: c5748437db Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5503
2025-09-23 01:38:56 +00:00 · 2024-12-03 18:18:50 +00:00 · 2024-12-03 18:18:50 +00:00 · c5748437db · 2025-07-19 05:16:25 +00:00
commit c5748437db
parent 25425f63ba
5 changed files with 108 additions and 0 deletions
--- a/Libraries/LibWeb/CMakeLists.txt
+++ b/Libraries/LibWeb/CMakeLists.txt
@ -44,6 +44,7 @@ set(SOURCES
    Compression/DecompressionStream.cpp
    ContentSecurityPolicy/BlockingAlgorithms.cpp
    ContentSecurityPolicy/Directives/ConnectSourceDirective.cpp
+    ContentSecurityPolicy/Directives/DefaultSourceDirective.cpp
    ContentSecurityPolicy/Directives/Directive.cpp
    ContentSecurityPolicy/Directives/DirectiveFactory.cpp
    ContentSecurityPolicy/Directives/DirectiveOperations.cpp
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.cpp
@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(DefaultSourceDirective);
+
+DefaultSourceDirective::DefaultSourceDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+// https://w3c.github.io/webappsec-csp/#default-src-pre-request
+Directive::Result DefaultSourceDirective::pre_request_check(GC::Heap& heap, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, default-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::DefaultSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. Return the result of executing the pre-request check for the directive whose name is name on request and
+    //    policy, using this directive’s value for the comparison.
+    auto directive = create_directive(heap, name->to_string(), value());
+    return directive->pre_request_check(heap, request, policy);
+}
+
+// https://w3c.github.io/webappsec-csp/#default-src-post-request
+Directive::Result DefaultSourceDirective::post_request_check(GC::Heap& heap, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, default-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::DefaultSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. Return the result of executing the post-request check for the directive whose name is name on request,
+    //    response, and policy, using this directive’s value for the comparison.
+    auto directive = create_directive(heap, name->to_string(), value());
+    return directive->post_request_check(heap, request, response, policy);
+}
+
+// https://w3c.github.io/webappsec-csp/#default-src-inline
+Directive::Result DefaultSourceDirective::inline_check(GC::Heap& heap, GC::Ptr<DOM::Element const> element, InlineType type, GC::Ref<Policy const> policy, String const& source) const
+{
+    // 1. Let name be the result of executing § 6.8.2 Get the effective directive for inline checks on type.
+    auto name = get_the_effective_directive_for_inline_checks(type);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, default-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::DefaultSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. Otherwise, return the result of executing the inline check for the directive whose name is name on element,
+    //    type, policy and source, using this directive’s value for the comparison.
+    auto directive = create_directive(heap, name.to_string(), value());
+    return directive->inline_check(heap, element, type, policy, source);
+}
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h
@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-default-src
+class DefaultSourceDirective final : public Directive {
+    GC_CELL(DefaultSourceDirective, Directive)
+    GC_DECLARE_ALLOCATOR(DefaultSourceDirective);
+
+public:
+    virtual ~DefaultSourceDirective() = default;
+
+    virtual Result pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Policy const>) const override;
+    virtual Result post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Fetch::Infrastructure::Response const>, GC::Ref<Policy const>) const override;
+    virtual Result inline_check(GC::Heap&, GC::Ptr<DOM::Element const>, InlineType, GC::Ref<Policy const>, String const&) const override;
+
+private:
+    DefaultSourceDirective(String name, Vector<String> value);
+};
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
@ -6,6 +6,7 @@

 #include <LibJS/Runtime/Realm.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/FontSourceDirective.h>
@ -30,6 +31,9 @@ GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String>
    if (name == Names::ConnectSrc)
        return heap.allocate<ConnectSourceDirective>(move(name), move(value));

+    if (name == Names::DefaultSrc)
+        return heap.allocate<DefaultSourceDirective>(move(name), move(value));
+
    if (name == Names::FontSrc)
        return heap.allocate<FontSourceDirective>(move(name), move(value));

--- a/Libraries/LibWeb/Forward.h
+++ b/Libraries/LibWeb/Forward.h
@ -133,6 +133,7 @@ struct SerializedPolicy;
 namespace Web::ContentSecurityPolicy::Directives {

 class ConnectSourceDirective;
+class DefaultSourceDirective;
 class Directive;
 class FontSourceDirective;
 class FrameSourceDirective;