LibWeb: Introduce Content Security Policy policies and directives

These form the basis of Content Security Policy. A policy is a collection of directives that are parsed from either the Content-Security-Policy(-Report-Only) HTTP header, or the `<meta>` element. The directives are what restrict the operations can be performed in the current global execution context. For example, "frame-ancestors: none" tells us to prevent the page from being loaded in an embedded context, such as `<iframe>`. You can see it a bit like OpenBSD's pledge() functionality, but for the web platform: https://man.openbsd.org/pledge.2
Author: https://github.com/Lubrsi Commit: e34a6c86b9 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/3662
2025-08-28 05:07:35 +00:00 · 2024-11-25 16:17:17 +00:00 · 2024-11-25 16:17:17 +00:00 · e34a6c86b9 · 2025-03-04 13:28:21 +00:00
commit e34a6c86b9
parent d17bd2c5f1
20 changed files with 846 additions and 3 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/Names.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/Names.h
@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2025, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/FlyString.h>
+
+namespace Web::ContentSecurityPolicy::Directives::Names {
+
+#define ENUMERATE_DIRECTIVE_NAMES                                 \
+    __ENUMERATE_DIRECTIVE_NAME(BaseUri, "base-uri")               \
+    __ENUMERATE_DIRECTIVE_NAME(ChildSrc, "child-src")             \
+    __ENUMERATE_DIRECTIVE_NAME(ConnectSrc, "connect-src")         \
+    __ENUMERATE_DIRECTIVE_NAME(DefaultSrc, "default-src")         \
+    __ENUMERATE_DIRECTIVE_NAME(FontSrc, "font-src")               \
+    __ENUMERATE_DIRECTIVE_NAME(FormAction, "form-action")         \
+    __ENUMERATE_DIRECTIVE_NAME(FrameAncestors, "frame-ancestors") \
+    __ENUMERATE_DIRECTIVE_NAME(FrameSrc, "frame-src")             \
+    __ENUMERATE_DIRECTIVE_NAME(ImgSrc, "img-src")                 \
+    __ENUMERATE_DIRECTIVE_NAME(ManifestSrc, "manifest-src")       \
+    __ENUMERATE_DIRECTIVE_NAME(MediaSrc, "media-src")             \
+    __ENUMERATE_DIRECTIVE_NAME(ObjectSrc, "object-src")           \
+    __ENUMERATE_DIRECTIVE_NAME(ReportTo, "report-to")             \
+    __ENUMERATE_DIRECTIVE_NAME(ReportUri, "report-uri")           \
+    __ENUMERATE_DIRECTIVE_NAME(Sandbox, "sandbox")                \
+    __ENUMERATE_DIRECTIVE_NAME(ScriptSrc, "script-src")           \
+    __ENUMERATE_DIRECTIVE_NAME(ScriptSrcElem, "script-src-elem")  \
+    __ENUMERATE_DIRECTIVE_NAME(ScriptSrcAttr, "script-src-attr")  \
+    __ENUMERATE_DIRECTIVE_NAME(StyleSrc, "style-src")             \
+    __ENUMERATE_DIRECTIVE_NAME(StyleSrcElem, "style-src-elem")    \
+    __ENUMERATE_DIRECTIVE_NAME(StyleSrcAttr, "style-src-attr")    \
+    __ENUMERATE_DIRECTIVE_NAME(WebRTC, "webrtc")                  \
+    __ENUMERATE_DIRECTIVE_NAME(WorkerSrc, "worker-src")
+
+#define __ENUMERATE_DIRECTIVE_NAME(name, value) extern FlyString name;
+ENUMERATE_DIRECTIVE_NAMES
+#undef __ENUMERATE_DIRECTIVE_NAME
+
+void initialize_strings();
+
+}