mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2025-10-24 08:59:50 +00:00
User prompts are not tied to specific Windows or the client's Window. They are tied to a traversable navigable (browser tab).
480 lines
22 KiB
C++
480 lines
22 KiB
C++
/*
|
||
* Copyright (c) 2025, Luke Wilde <luke@ladybird.org>
|
||
*
|
||
* SPDX-License-Identifier: BSD-2-Clause
|
||
*/
|
||
|
||
#include <AK/ByteBuffer.h>
|
||
#include <LibURL/Parser.h>
|
||
#include <LibURL/URL.h>
|
||
#include <LibWeb/Bindings/PrincipalHostDefined.h>
|
||
#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
|
||
#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
|
||
#include <LibWeb/ContentSecurityPolicy/SecurityPolicyViolationEvent.h>
|
||
#include <LibWeb/ContentSecurityPolicy/Violation.h>
|
||
#include <LibWeb/DOM/Document.h>
|
||
#include <LibWeb/DOMURL/DOMURL.h>
|
||
#include <LibWeb/Fetch/Fetching/Fetching.h>
|
||
#include <LibWeb/Fetch/Infrastructure/URL.h>
|
||
#include <LibWeb/HTML/Scripting/Environments.h>
|
||
#include <LibWeb/HTML/Scripting/TemporaryExecutionContext.h>
|
||
#include <LibWeb/HTML/Window.h>
|
||
#include <LibWeb/HTML/WorkerGlobalScope.h>
|
||
#include <LibWeb/Infra/JSON.h>
|
||
|
||
namespace Web::ContentSecurityPolicy {
|
||
|
||
GC_DEFINE_ALLOCATOR(Violation);
|
||
|
||
Violation::Violation(GC::Ptr<JS::Object> global_object, GC::Ref<Policy const> policy, String directive)
|
||
: m_global_object(global_object)
|
||
, m_policy(policy)
|
||
, m_effective_directive(directive)
|
||
{
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#create-violation-for-global
|
||
GC::Ref<Violation> Violation::create_a_violation_object_for_global_policy_and_directive(JS::Realm& realm, GC::Ptr<JS::Object> global_object, GC::Ref<Policy const> policy, String directive)
|
||
{
|
||
// 1. Let violation be a new violation whose global object is global, policy is policy, effective directive is
|
||
// directive, and resource is null.
|
||
auto violation = realm.create<Violation>(global_object, policy, directive);
|
||
|
||
// FIXME: 2. If the user agent is currently executing script, and can extract a source file’s URL, line number,
|
||
// and column number from the global, set violation’s source file, line number, and column number
|
||
// accordingly.
|
||
// SPEC ISSUE 1: Is this kind of thing specified anywhere? I didn’t see anything that looked useful in [ECMA262].
|
||
|
||
// 3. If global is a Window object, set violation’s referrer to global’s document's referrer.
|
||
if (global_object) {
|
||
if (auto* window = dynamic_cast<HTML::Window*>(global_object.ptr())) {
|
||
violation->m_referrer = URL::Parser::basic_parse(window->associated_document().referrer());
|
||
}
|
||
}
|
||
|
||
// FIXME: 4. Set violation’s status to the HTTP status code for the resource associated with violation’s global object.
|
||
// SPEC ISSUE 2: How, exactly, do we get the status code? We don’t actually store it anywhere.
|
||
|
||
// 5. Return violation.
|
||
return violation;
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#create-violation-for-request
|
||
GC::Ref<Violation> Violation::create_a_violation_object_for_request_and_policy(JS::Realm& realm, GC::Ref<Fetch::Infrastructure::Request> request, GC::Ref<Policy const> policy)
|
||
{
|
||
// 1. Let directive be the result of executing § 6.8.1 Get the effective directive for request on request.
|
||
auto directive = Directives::get_the_effective_directive_for_request(request);
|
||
|
||
// NOTE: The spec assumes that the effective directive of a Violation is a non-empty string.
|
||
// See the definition of m_effective_directive.
|
||
VERIFY(directive.has_value());
|
||
|
||
// 2. Let violation be the result of executing § 2.4.1 Create a violation object for global, policy, and directive
|
||
// on request’s client’s global object, policy, and directive.
|
||
auto violation = create_a_violation_object_for_global_policy_and_directive(realm, request->client()->global_object(), policy, directive->to_string());
|
||
|
||
// 3. Set violation’s resource to request’s url.
|
||
// Spec Note: We use request’s url, and not its current url, as the latter might contain information about redirect
|
||
// targets to which the page MUST NOT be given access.
|
||
violation->m_resource = request->url();
|
||
|
||
// 4. Return violation.
|
||
return violation;
|
||
}
|
||
|
||
void Violation::visit_edges(Cell::Visitor& visitor)
|
||
{
|
||
Base::visit_edges(visitor);
|
||
visitor.visit(m_global_object);
|
||
visitor.visit(m_policy);
|
||
visitor.visit(m_element);
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#violation-url
|
||
URL::URL Violation::url() const
|
||
{
|
||
// Each violation has a url which is its global object’s URL.
|
||
if (!m_global_object) {
|
||
// FIXME: What do we return here?
|
||
dbgln("FIXME: Figure out URL for violation with null global object.");
|
||
return URL::URL {};
|
||
}
|
||
|
||
// FIXME: File a spec issue about what to do for ShadowRealms here.
|
||
auto* universal_scope = dynamic_cast<HTML::UniversalGlobalScopeMixin*>(m_global_object.ptr());
|
||
VERIFY(universal_scope);
|
||
auto& principal_global = HTML::relevant_principal_global_object(universal_scope->this_impl());
|
||
|
||
if (auto* window = dynamic_cast<HTML::Window*>(&principal_global)) {
|
||
return window->associated_document().url();
|
||
}
|
||
|
||
if (auto* worker = dynamic_cast<HTML::WorkerGlobalScope*>(&principal_global)) {
|
||
return worker->url();
|
||
}
|
||
|
||
TODO();
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#strip-url-for-use-in-reports
|
||
[[nodiscard]] static String strip_url_for_use_in_reports(URL::URL url)
|
||
{
|
||
// 1. If url’s scheme is not an HTTP(S) scheme, then return url’s scheme.
|
||
if (!Fetch::Infrastructure::is_http_or_https_scheme(url.scheme()))
|
||
return url.scheme();
|
||
|
||
// 2. Set url’s fragment to the empty string.
|
||
// FIXME: File spec issue about potentially meaning `null` here, as using empty string leaves a stray # at the end.
|
||
url.set_fragment(OptionalNone {});
|
||
|
||
// 3. Set url’s username to the empty string.
|
||
url.set_username(String {});
|
||
|
||
// 4. Set url’s password to the empty string.
|
||
url.set_password(String {});
|
||
|
||
// 5. Return the result of executing the URL serializer on url.
|
||
return url.serialize();
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#obtain-violation-blocked-uri
|
||
String Violation::obtain_the_blocked_uri_of_resource() const
|
||
{
|
||
// 1. Assert: resource is a URL or a string.
|
||
VERIFY(m_resource.has<URL::URL>() || m_resource.has<Resource>());
|
||
|
||
// 2. If resource is a URL, return the result of executing § 5.4 Strip URL for use in reports on resource.
|
||
if (m_resource.has<URL::URL>()) {
|
||
auto const& url = m_resource.get<URL::URL>();
|
||
return strip_url_for_use_in_reports(url);
|
||
}
|
||
|
||
// 3. Return resource.
|
||
auto resource = m_resource.get<Resource>();
|
||
switch (resource) {
|
||
#define __ENUMERATE_RESOURCE_TYPE(type, value) \
|
||
case Resource::type: \
|
||
return value##_string;
|
||
ENUMERATE_RESOURCE_TYPES
|
||
#undef __ENUMERATE_RESOURCE_TYPE
|
||
default:
|
||
VERIFY_NOT_REACHED();
|
||
}
|
||
}
|
||
|
||
[[nodiscard]] static String original_disposition_to_string(Policy::Disposition disposition)
|
||
{
|
||
switch (disposition) {
|
||
#define __ENUMERATE_DISPOSITION_TYPE(type, value) \
|
||
case Policy::Disposition::type: \
|
||
return value##_string;
|
||
ENUMERATE_DISPOSITION_TYPES
|
||
#undef __ENUMERATE_DISPOSITION_TYPE
|
||
default:
|
||
VERIFY_NOT_REACHED();
|
||
}
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#deprecated-serialize-violation
|
||
ByteBuffer Violation::obtain_the_deprecated_serialization(JS::Realm& realm) const
|
||
{
|
||
// 1. Let body be a map with its keys initialized as follows:
|
||
Infra::JSONObject body;
|
||
|
||
// "document-uri"
|
||
// The result of executing § 5.4 Strip URL for use in reports on violation's url.
|
||
body.value.set("document-uri"_string, Infra::JSONValue { strip_url_for_use_in_reports(url()) });
|
||
|
||
// "referrer"
|
||
// The result of executing § 5.4 Strip URL for use in reports on violation's referrer.
|
||
// FIXME: File spec issue that referrer can be null here.
|
||
Infra::JSONValue referrer = m_referrer.has_value()
|
||
? Infra::JSONValue { strip_url_for_use_in_reports(m_referrer.value()) }
|
||
: Infra::JSONValue { Empty {} };
|
||
|
||
body.value.set("referrer"_string, referrer);
|
||
|
||
// "blocked-uri"
|
||
// The result of executing § 5.2 Obtain the blockedURI of a violation’s resource on violation’s resource.
|
||
body.value.set("blocked_uri"_string, Infra::JSONValue { obtain_the_blocked_uri_of_resource() });
|
||
|
||
// "effective-directive"
|
||
// violation's effective directive
|
||
body.value.set("effective-directive"_string, Infra::JSONValue { m_effective_directive });
|
||
|
||
// "violated-directive"
|
||
// violation's effective directive
|
||
body.value.set("violated-directive"_string, Infra::JSONValue { m_effective_directive });
|
||
|
||
// "original-policy"
|
||
// The serialization of violation's policy
|
||
body.value.set("original-policy"_string, Infra::JSONValue { m_policy->pre_parsed_policy_string({}) });
|
||
|
||
// "disposition"
|
||
// The disposition of violation's policy
|
||
body.value.set("disposition"_string, Infra::JSONValue { original_disposition_to_string(disposition()) });
|
||
|
||
// "status-code"
|
||
// violation's status
|
||
body.value.set("status-code"_string, Infra::JSONValue { m_status });
|
||
|
||
// "script-sample"
|
||
// violation's sample
|
||
// Spec Note: The name script-sample was chosen for compatibility with an earlier iteration of this feature which
|
||
// has shipped in Firefox since its initial implementation of CSP. Despite the name, this field will
|
||
// contain samples for non-script violations, like stylesheets. The data contained in a
|
||
// SecurityPolicyViolationEvent object, and in reports generated via the new report-to directive, is
|
||
// named in a more encompassing fashion: sample.
|
||
body.value.set("script-sample"_string, Infra::JSONValue { m_sample });
|
||
|
||
// 2. If violation’s source file is not null:
|
||
if (m_source_file.has_value()) {
|
||
// 1. Set body["source-file'] to the result of executing § 5.4 Strip URL for use in reports on violation’s
|
||
// source file.
|
||
body.value.set("source-file"_string, Infra::JSONValue { strip_url_for_use_in_reports(m_source_file.value()) });
|
||
|
||
// 2. Set body["line-number"] to violation’s line number.
|
||
body.value.set("line-number"_string, Infra::JSONValue { m_line_number });
|
||
|
||
// 3. Set body["column-number"] to violation’s column number.
|
||
body.value.set("column-number"_string, Infra::JSONValue { m_column_number });
|
||
}
|
||
|
||
// 3. Assert: If body["blocked-uri"] is not "inline", then body["sample"] is the empty string.
|
||
// FIXME: File spec issue that body["sample"] should be body["script-sample"]
|
||
if (m_resource.has<Resource>() && m_resource.get<Resource>() != Resource::Inline) {
|
||
VERIFY(m_sample.is_empty());
|
||
}
|
||
|
||
// 4. Return the result of serialize an infra value to JSON bytes given «[ "csp-report" → body ]».
|
||
Infra::JSONObject csp_report;
|
||
csp_report.value.set("csp-report"_string, Infra::JSONObject { move(body) });
|
||
|
||
HTML::TemporaryExecutionContext execution_context { realm };
|
||
return Infra::serialize_an_infra_value_to_json_bytes(realm, move(csp_report));
|
||
}
|
||
|
||
[[nodiscard]] static Bindings::SecurityPolicyViolationEventDisposition original_disposition_to_bindings_disposition(Policy::Disposition disposition)
|
||
{
|
||
switch (disposition) {
|
||
#define __ENUMERATE_DISPOSITION_TYPE(type, _) \
|
||
case Policy::Disposition::type: \
|
||
return Bindings::SecurityPolicyViolationEventDisposition::type;
|
||
ENUMERATE_DISPOSITION_TYPES
|
||
#undef __ENUMERATE_DISPOSITION_TYPE
|
||
default:
|
||
VERIFY_NOT_REACHED();
|
||
}
|
||
}
|
||
|
||
// https://w3c.github.io/webappsec-csp/#report-violation
|
||
void Violation::report_a_violation(JS::Realm& realm)
|
||
{
|
||
dbgln("Content Security Policy violation{}: Refusing access to resource '{}' because it does not appear in the '{}' directive.",
|
||
disposition() == Policy::Disposition::Report ? " (report only)"sv : ""sv,
|
||
obtain_the_blocked_uri_of_resource(),
|
||
m_effective_directive);
|
||
|
||
// 1. Let global be violation’s global object.
|
||
auto global = m_global_object;
|
||
|
||
// 2. Let target be violation’s element.
|
||
auto target = m_element;
|
||
|
||
// 3. Queue a task to run the following steps:
|
||
// Spec Note: We "queue a task" here to ensure that the event targeting and dispatch happens after JavaScript
|
||
// completes execution of the task responsible for a given violation (which might manipulate the DOM).
|
||
HTML::queue_a_task(HTML::Task::Source::Unspecified, nullptr, nullptr, GC::create_function(realm.heap(), [this, global, target, &realm] {
|
||
auto& vm = realm.vm();
|
||
|
||
GC::Ptr<JS::Object> target_as_object = target;
|
||
|
||
// 1. If target is not null, and global is a Window, and target’s shadow-including root is not global’s
|
||
// associated Document, set target to null.
|
||
// Spec Note: This ensures that we fire events only at elements connected to violation’s policy’s Document.
|
||
// If a violation is caused by an element which isn’t connected to that document, we’ll fire the
|
||
// event at the document rather than the element in order to ensure that the violation is visible
|
||
// to the document’s listeners.
|
||
if (target && is<HTML::Window>(global.ptr())) {
|
||
auto const& window = static_cast<HTML::Window const&>(*global.ptr());
|
||
if (&target->shadow_including_root() != &window.associated_document())
|
||
target_as_object = nullptr;
|
||
}
|
||
|
||
// 2. If target is null:
|
||
if (!target_as_object) {
|
||
// 1. Set target to violation’s global object.
|
||
target_as_object = m_global_object;
|
||
|
||
// 2. If target is a Window, set target to target’s associated Document.
|
||
if (is<HTML::Window>(target_as_object.ptr())) {
|
||
auto& window = static_cast<HTML::Window&>(*target_as_object.ptr());
|
||
target_as_object = window.associated_document();
|
||
}
|
||
}
|
||
|
||
// 3. If target implements EventTarget, fire an event named securitypolicyviolation that uses the
|
||
// SecurityPolicyViolationEvent interface at target with its attributes initialized as follows:
|
||
if (is<DOM::EventTarget>(target_as_object.ptr())) {
|
||
auto& event_target = static_cast<DOM::EventTarget&>(*target_as_object.ptr());
|
||
|
||
SecurityPolicyViolationEventInit event_init {};
|
||
|
||
// bubbles
|
||
// true
|
||
event_init.bubbles = true;
|
||
|
||
// composed
|
||
// true
|
||
// Spec Note: We set the composed attribute, which means that this event can be captured on its way
|
||
// into, and will bubble its way out of a shadow tree. target, et al will be automagically
|
||
// scoped correctly for the main tree.
|
||
event_init.composed = true;
|
||
|
||
// documentURI
|
||
// The result of executing § 5.4 Strip URL for use in reports on violation's url.
|
||
event_init.document_uri = strip_url_for_use_in_reports(url());
|
||
|
||
// referrer
|
||
// The result of executing § 5.4 Strip URL for use in reports on violation's referrer.
|
||
// FIXME: File spec issue for referrer being potentially null.
|
||
event_init.referrer = m_referrer.has_value() ? strip_url_for_use_in_reports(m_referrer.value()) : String {};
|
||
|
||
// blockedURI
|
||
// The result of executing § 5.2 Obtain the blockedURI of a violation's resource on violation’s
|
||
// resource.
|
||
event_init.blocked_uri = obtain_the_blocked_uri_of_resource();
|
||
|
||
// effectiveDirective
|
||
// violation's effective directive
|
||
event_init.effective_directive = m_effective_directive;
|
||
|
||
// violatedDirective
|
||
// violation's effective directive
|
||
// Spec Note: Both effectiveDirective and violatedDirective are the same value. This is intentional
|
||
// to maintain backwards compatibility.
|
||
event_init.violated_directive = m_effective_directive;
|
||
|
||
// originalPolicy
|
||
// The serialization of violation's policy
|
||
event_init.original_policy = m_policy->pre_parsed_policy_string({});
|
||
|
||
// disposition
|
||
// violation's disposition
|
||
event_init.disposition = original_disposition_to_bindings_disposition(disposition());
|
||
|
||
// sourceFile
|
||
// The result of executing § 5.4 Strip URL for use in reports on violation’s source file, if
|
||
// violation's source file is not null, or null otherwise.
|
||
event_init.source_file = m_source_file.has_value() ? strip_url_for_use_in_reports(m_source_file.value()) : String {};
|
||
|
||
// statusCode
|
||
// violation's status
|
||
event_init.status_code = m_status;
|
||
|
||
// lineNumber
|
||
// violation’s line number
|
||
event_init.line_number = m_line_number;
|
||
|
||
// columnNumber
|
||
// violation’s column number
|
||
event_init.column_number = m_column_number;
|
||
|
||
// sample
|
||
// violation's sample
|
||
event_init.sample = m_sample;
|
||
|
||
auto event = SecurityPolicyViolationEvent::create(realm, HTML::EventNames::securitypolicyviolation, event_init);
|
||
event->set_is_trusted(true);
|
||
event_target.dispatch_event(event);
|
||
}
|
||
|
||
// 4. If violation’s policy’s directive set contains a directive named "report-uri" directive:
|
||
if (auto report_uri_directive = m_policy->get_directive_by_name(Directives::Names::ReportUri)) {
|
||
// 1. If violation’s policy’s directive set contains a directive named "report-to", skip the remaining
|
||
// substeps.
|
||
if (!m_policy->contains_directive_with_name(Directives::Names::ReportTo)) {
|
||
// 1. For each token of directive’s value:
|
||
for (auto const& token : report_uri_directive->value()) {
|
||
// 1. Let endpoint be the result of executing the URL parser with token as the input, and
|
||
// violation’s url as the base URL.
|
||
auto endpoint = DOMURL::parse(token, url());
|
||
|
||
// 2. If endpoint is not a valid URL, skip the remaining substeps.
|
||
if (endpoint.has_value()) {
|
||
// 3. Let request be a new request, initialized as follows:
|
||
auto request = Fetch::Infrastructure::Request::create(vm);
|
||
|
||
// method
|
||
// "POST"
|
||
request->set_method(MUST(ByteBuffer::copy("POST"sv.bytes())));
|
||
|
||
// url
|
||
// violation’s url
|
||
// FIXME: File spec issue that this is incorrect, it should be `endpoint` instead.
|
||
request->set_url(endpoint.value());
|
||
|
||
// origin
|
||
// violation's global object's relevant settings object's origin
|
||
// FIXME: File spec issue that global object can be null, so we use the realm to get the ESO
|
||
// instead, and cross ShadowRealm boundaries with the principal realm.
|
||
auto& environment_settings_object = Bindings::principal_host_defined_environment_settings_object(HTML::principal_realm(realm));
|
||
request->set_origin(environment_settings_object.origin());
|
||
|
||
// traversable for user prompts
|
||
// "no-traversable"
|
||
request->set_traversable_for_user_prompts(Fetch::Infrastructure::Request::TraversableForUserPrompts::NoTraversable);
|
||
|
||
// client
|
||
// violation's global object's relevant settings object
|
||
request->set_client(&environment_settings_object);
|
||
|
||
// destination
|
||
// "report"
|
||
request->set_destination(Fetch::Infrastructure::Request::Destination::Report);
|
||
|
||
// initiator
|
||
// ""
|
||
request->set_initiator(OptionalNone {});
|
||
|
||
// credentials mode
|
||
// "same-origin"
|
||
request->set_credentials_mode(Fetch::Infrastructure::Request::CredentialsMode::SameOrigin);
|
||
|
||
// keepalive
|
||
// "true"
|
||
request->set_keepalive(true);
|
||
|
||
// header list
|
||
// A header list containing a single header whose name is "Content-Type", and value is
|
||
// "application/csp-report"
|
||
auto header_list = Fetch::Infrastructure::HeaderList::create(vm);
|
||
auto content_type_header = Fetch::Infrastructure::Header::from_string_pair("Content-Type"sv, "application/csp-report"sv);
|
||
header_list->append(move(content_type_header));
|
||
request->set_header_list(header_list);
|
||
|
||
// body
|
||
// The result of executing § 5.3 Obtain the deprecated serialization of violation on
|
||
// violation
|
||
request->set_body(obtain_the_deprecated_serialization(realm));
|
||
|
||
// redirect mode
|
||
// "error"
|
||
request->set_redirect_mode(Fetch::Infrastructure::Request::RedirectMode::Error);
|
||
|
||
// 4. Fetch request. The result will be ignored.
|
||
(void)Fetch::Fetching::fetch(realm, request, Fetch::Infrastructure::FetchAlgorithms::create(vm, {}));
|
||
}
|
||
}
|
||
}
|
||
|
||
// 5. If violation's policy's directive set contains a directive named "report-to" directive:
|
||
if (auto report_to_directive = m_policy->get_directive_by_name(Directives::Names::ReportTo)) {
|
||
(void)report_to_directive;
|
||
dbgln("FIXME: Implement report-to directive in violation reporting");
|
||
}
|
||
}
|
||
}));
|
||
}
|
||
|
||
}
|