Commit graph

34 commits

Author SHA1 Message Date
Luke Wilde
8e999bca62 LibWeb/CSP: Implement the style-src-attr directive
Some checks are pending
CI / Linux, x86_64, Sanitizer, GNU (push) Waiting to run
CI / macOS, arm64, Sanitizer, Clang (push) Waiting to run
CI / Linux, x86_64, Fuzzers, Clang (push) Waiting to run
CI / Linux, x86_64, Sanitizer, Clang (push) Waiting to run
Package the js repl as a binary artifact / Linux, arm64 (push) Waiting to run
Package the js repl as a binary artifact / macOS, arm64 (push) Waiting to run
Package the js repl as a binary artifact / Linux, x86_64 (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
2025-07-18 11:58:04 +12:00
Luke Wilde
574b736156 LibWeb/CSP: Implement the style-src-elem directive 2025-07-18 11:58:04 +12:00
Luke Wilde
8b0b3b186f LibWeb/CSP: Implement the style-src directive 2025-07-18 11:58:04 +12:00
Tim Ledbetter
941da11ece LibWeb: Avoid accessing opaque origin port during CSP checks 2025-07-13 14:33:33 +02:00
Luke Wilde
f50f23b19f LibWeb/CSP: Implement the script-src-attr directive 2025-07-12 13:06:33 +12:00
Luke Wilde
f382bccc3d LibWeb/CSP: Implement the script-src-elem directive 2025-07-12 13:06:33 +12:00
Luke Wilde
0cff47828d LibWeb/CSP: Implement the script-src directive 2025-07-09 15:52:54 -06:00
Luke Wilde
985a481b5a LibWeb/CSP: Implement the object-src directive
Some checks are pending
CI / macOS, arm64, Sanitizer_CI, Clang (push) Waiting to run
CI / Linux, x86_64, Fuzzers_CI, Clang (push) Waiting to run
CI / Linux, x86_64, Sanitizer_CI, GNU (push) Waiting to run
CI / Linux, x86_64, Sanitizer_CI, Clang (push) Waiting to run
Package the js repl as a binary artifact / Linux, arm64 (push) Waiting to run
Package the js repl as a binary artifact / macOS, arm64 (push) Waiting to run
Package the js repl as a binary artifact / Linux, x86_64 (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
2025-07-06 13:40:04 +12:00
Luke Wilde
1b12aa4d8e LibWeb/CSP: Implement the media-src directive 2025-07-06 13:40:04 +12:00
Luke Wilde
5addbcd61b LibWeb/CSP: Implement the manifest-src directive 2025-07-06 13:40:04 +12:00
Luke Wilde
002e993f68 LibWeb/CSP: Add [[nodiscard]] to result enums
This makes it so we don't have to remember to specify [[nodiscard]] on
functions that return them.
2025-07-06 13:40:04 +12:00
Luke Wilde
715061fb79 LibWeb/CSP: Implement the img-src directive 2025-07-05 21:21:44 +12:00
Luke Wilde
1689353beb LibWeb/CSP: Implement the frame-src directive 2025-07-05 21:21:44 +12:00
Luke Wilde
e899438907 LibWeb/CSP: Implement the font-src directive 2025-07-05 21:21:44 +12:00
Luke Wilde
959bb5cc18 LibWeb/CSP: Implement the connect-src directive 2025-07-05 21:21:44 +12:00
Luke Wilde
203c2a6b30 LibWeb/CSP: Use GC::Heap instead of JS::Realm for directive checks 2025-07-05 21:21:44 +12:00
Luke Wilde
1edf7a8aa2 LibWeb/CSP: Implement URL matching algorithms
These are used by all the *-src attributes, to check if a given URL,
origin and redirect count matches a source list entry specified in
the *-src attribute's values, if it's allowed to.
2025-07-01 10:24:24 +12:00
Luke Wilde
38f80913a4 LibWeb: Implement Content Security Policy directive expression parser
This follows the implementation method that was used for the
implementation of ISO8601 parsing for Temporal in LibJS. Doing it this
way allows us to have state transactions, and thus pick out individual
parse nodes that the specification steps want to use.
2025-07-01 10:24:24 +12:00
Luke Wilde
050f984625 LibWeb/CSP: Add Keyword Sources FlyStrings 2025-07-01 10:24:24 +12:00
Shannon Booth
e0d7278820 LibURL+LibWeb: Make URL::Origin default constructor private
Instead, porting over all users to use the newly created
Origin::create_opaque factory function. This also requires porting
over some users of Origin to avoid default construction.
2025-06-17 20:54:03 +02:00
rmg-x
f5de4c3dd6 LibWeb/ContentSecurityPolicy: Remove noisy "unknown directive" log
Some checks are pending
CI / macOS, arm64, Sanitizer_CI, Clang (push) Waiting to run
CI / Linux, x86_64, Fuzzers_CI, Clang (push) Waiting to run
CI / Linux, x86_64, Sanitizer_CI, GNU (push) Waiting to run
CI / Linux, x86_64, Sanitizer_CI, Clang (push) Waiting to run
Package the js repl as a binary artifact / macOS, arm64 (push) Waiting to run
Package the js repl as a binary artifact / Linux, x86_64 (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
2025-06-08 00:46:49 +02:00
Luke Wilde
e364443e60 LibWeb: Support Content-Security-Policy http-equiv state on meta element 2025-05-23 16:39:13 +02:00
Timothy Flynn
1c075d6039 LibWeb: Remove Web::Infra ASCII case conversion methods
Some checks are pending
CI / Lagom (arm64, Sanitizer_CI, false, macos-15, macOS, Clang) (push) Waiting to run
CI / Lagom (x86_64, Fuzzers_CI, false, ubuntu-24.04, Linux, Clang) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, false, ubuntu-24.04, Linux, GNU) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, true, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (arm64, macos-15, macOS, macOS-universal2) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (x86_64, ubuntu-24.04, Linux, Linux-x86_64) (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
We have more optimized versions of these methods in AK.
2025-05-04 15:59:17 +02:00
Shannon Booth
8a3c66d8a6 LibWeb: Make a bunch of CSP classes not realm associated
These are not associated with a javascript realm, so to avoid
confusion about which realm these need to be created in, make
all of these objects a GC::Cell, and deal with the fallout.
2025-04-28 12:41:28 +02:00
Andreas Kling
a6dfc74e93 LibWeb: Only set prototype once for object with IDL interface
Before this change, we were going through the chain of base classes for
each IDL interface object and having them set the prototype to their
prototype.

Instead of doing that, reorder things so that we set the right prototype
immediately in Foo::initialize(), and then don't bother in all the base
class overrides.

This knocks off a ~1% profile item on Speedometer 3.
2025-04-20 18:43:11 +02:00
Timothy Flynn
ee6b2db009 AK+LibURL+LibWeb: Use simdutf to validate ASCII strings
simdutf provides a vectorized ASCII validator, so let's use that instead
of looping over strings manually.
2025-04-06 11:05:58 -04:00
Luke Wilde
278666edcd LibWeb: Enforce Content Security Policy on navigation request/response
Some checks are pending
CI / Lagom (x86_64, Fuzzers_CI, false, ubuntu-24.04, Linux, Clang) (push) Waiting to run
CI / Lagom (arm64, Sanitizer_CI, false, macos-15, macOS, Clang) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, false, ubuntu-24.04, Linux, GNU) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, true, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (macos-14, macOS, macOS-universal2) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (ubuntu-24.04, Linux, Linux-x86_64) (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run
2025-04-01 04:01:28 +02:00
Luke Wilde
7643a079c0 LibWeb: Enforce Content Security Policy of Fetch responses 2025-03-19 00:55:14 +01:00
Luke Wilde
51796e2d3a LibWeb: Report CSP violations for request 2025-03-19 00:55:14 +01:00
Luke Wilde
6f771f45e2 LibWeb: Enforce Content Security Policy on Fetch requests 2025-03-19 00:55:14 +01:00
Luke Wilde
86170f4bfd LibWeb/CSP: Introduce the ability to create and report a violation
A violation provides several details about an enforcement failing, such
as the URL of the document, the directive that returned "Blocked", etc.
2025-03-19 00:55:14 +01:00
Luke Wilde
02236be737 LibWeb/CSP: Implement SecurityPolicyViolationEvent
This is used to report violations of policies to the element/global
object that caused it.
2025-03-19 00:55:14 +01:00
Aliaksandr Kalenik
56971a4201 LibWeb: Delete FIXME debug log in PolicyList
It adds too much spam in test runner output.
2025-03-13 22:16:47 +01:00
Luke Wilde
e34a6c86b9 LibWeb: Introduce Content Security Policy policies and directives
These form the basis of Content Security Policy. A policy is a
collection of directives that are parsed from either the
Content-Security-Policy(-Report-Only) HTTP header, or the `<meta>`
element.

The directives are what restrict the operations can be performed in the
current global execution context. For example, "frame-ancestors: none"
tells us to prevent the page from being loaded in an embedded context,
such as `<iframe>`.

You can see it a bit like OpenBSD's pledge() functionality, but for the
web platform: https://man.openbsd.org/pledge.2
2025-03-04 14:27:19 +01:00