mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-15 23:01:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
ladybird/Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp
Jamie Mansfield 8f0d035145 LibWeb: Implement should block mixed content request
2024-06-07 09:50:30 +02:00

61 lines
3.2 KiB
C++
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2024, Jamie Mansfield <jmansfield@cadixdev.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibWeb/HTML/Window.h>
#include <LibWeb/MixedContent/AbstractOperations.h>
#include <LibWeb/SecureContexts/AbstractOperations.h>
namespace Web::MixedContent {
// https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object
ProhibitsMixedSecurityContexts does_settings_prohibit_mixed_security_contexts(JS::GCPtr<HTML::EnvironmentSettingsObject> settings)
{
// 1. If settings origin is a potentially trustworthy origin, then return "Prohibits Mixed Security Contexts".
if (SecureContexts::is_origin_potentially_trustworthy(settings->origin()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy)
return ProhibitsMixedSecurityContexts::ProhibitsMixedSecurityContexts;
// 2. If settings global object is a window, then:
if (is<HTML::Window>(settings->global_object())) {
// 1. Set document to settings global object's associated Document.
auto document = verify_cast<HTML::Window>(settings->global_object()).document();
// 2. For each navigable navigable in documents ancestor navigables:
for (auto const& navigable : document->ancestor_navigables()) {
// 1. If navigables active document's origin is a potentially trustworthy origin, then return "Prohibits Mixed Security Contexts".
if (SecureContexts::is_origin_potentially_trustworthy(navigable->active_document()->origin()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy)
return ProhibitsMixedSecurityContexts::ProhibitsMixedSecurityContexts;
}
}
// 3. Return "Does Not Restrict Mixed Security Contexts".
return ProhibitsMixedSecurityContexts::DoesNotRestrictMixedSecurityContexts;
}
// https://w3c.github.io/webappsec-mixed-content/#should-block-fetch
Fetch::Infrastructure::RequestOrResponseBlocking should_fetching_request_be_blocked_as_mixed_content(Fetch::Infrastructure::Request& request)
{
// 1. Return allowed if one or more of the following conditions are met:
if (
// 1. §4.3 Does settings prohibit mixed security contexts? returns "Does Not Restrict Mixed Security Contexts" when applied to requests client.
does_settings_prohibit_mixed_security_contexts(request.client()) == ProhibitsMixedSecurityContexts::DoesNotRestrictMixedSecurityContexts
// 2. requests URL is a potentially trustworthy URL.
|| SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy
// FIXME: 3. The user agent has been instructed to allow mixed content, as described in §7.2 User Controls).
|| false
// 4. requests destination is "document", and requests target browsing context has no parent browsing context.
|| (request.destination() == Fetch::Infrastructure::Request::Destination::Document && !request.client()->target_browsing_context->parent())) {
return Fetch::Infrastructure::RequestOrResponseBlocking::Allowed;
}
// 2. Return blocked.
dbgln("MixedContent: Blocked '{}' (request)", MUST(request.url().to_string()));
return Fetch::Infrastructure::RequestOrResponseBlocking::Blocked;
}
}
Reference in a new issue View git blame Copy permalink