LibWeb: Introduce Content Security Policy policies and directives

These form the basis of Content Security Policy. A policy is a
collection of directives that are parsed from either the
Content-Security-Policy(-Report-Only) HTTP header, or the `<meta>`
element.

The directives are what restrict the operations can be performed in the
current global execution context. For example, "frame-ancestors: none"
tells us to prevent the page from being loaded in an embedded context,
such as `<iframe>`.

You can see it a bit like OpenBSD's pledge() functionality, but for the
web platform: https://man.openbsd.org/pledge.2
This commit is contained in:
Luke Wilde 2024-11-25 16:17:17 +00:00 committed by Andreas Kling
commit e34a6c86b9
Notes: github-actions[bot] 2025-03-04 13:28:21 +00:00
20 changed files with 846 additions and 3 deletions

View file

@ -26,7 +26,8 @@ public:
virtual ~PolicyContainer() = default;
// https://html.spec.whatwg.org/multipage/origin.html#policy-container-csp-list
// FIXME: A CSP list, which is a CSP list. It is initially empty.
// A CSP list, which is a CSP list. It is initially empty.
GC::Ref<ContentSecurityPolicy::PolicyList> csp_list;
// https://html.spec.whatwg.org/multipage/origin.html#policy-container-embedder-policy
// An embedder policy, which is an embedder policy. It is initially a new embedder policy.
@ -39,6 +40,9 @@ public:
[[nodiscard]] GC::Ref<PolicyContainer> clone(JS::Realm&) const;
[[nodiscard]] SerializedPolicyContainer serialize() const;
protected:
virtual void visit_edges(Cell::Visitor&) override;
private:
PolicyContainer(JS::Realm&);
};