mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-07-23 09:22:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
ladybird/Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameSourceDirective.cpp
Luke Wilde 1689353beb LibWeb/CSP: Implement the frame-src directive
2025-07-05 21:21:44 +12:00

61 lines
2.7 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
#include <LibWeb/ContentSecurityPolicy/Directives/FrameSourceDirective.h>
#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
namespace Web::ContentSecurityPolicy::Directives {
GC_DEFINE_ALLOCATOR(FrameSourceDirective);
FrameSourceDirective::FrameSourceDirective(String name, Vector<String> value)
: Directive(move(name), move(value))
{
}
// https://w3c.github.io/webappsec-csp/#frame-src-pre-request
Directive::Result FrameSourceDirective::pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
{
// 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
auto name = get_the_effective_directive_for_request(request);
// 2. If the result of executing § 6.8.4 Should fetch directive execute on name, frame-src and policy is "No",
// return "Allowed".
if (should_fetch_directive_execute(name, Names::FrameSrc, policy) == ShouldExecute::No)
return Result::Allowed;
// 3. If the result of executing § 6.7.2.5 Does request match source list? on request, this directives value,
// and policy, is "Does Not Match", return "Blocked".
if (does_request_match_source_list(request, value(), policy) == MatchResult::DoesNotMatch)
return Result::Blocked;
// 4. Return "Allowed".
return Result::Allowed;
}
// https://w3c.github.io/webappsec-csp/#frame-src-post-request
Directive::Result FrameSourceDirective::post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
{
// 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
auto name = get_the_effective_directive_for_request(request);
// 2. If the result of executing § 6.8.4 Should fetch directive execute on name, frame-src and policy is "No",
// return "Allowed".
if (should_fetch_directive_execute(name, Names::FrameSrc, policy) == ShouldExecute::No)
return Result::Allowed;
// 3. If the result of executing § 6.7.2.6 Does response to request match source list? on response, request, this
// directives value, and policy, is "Does Not Match", return "Blocked".
if (does_response_match_source_list(response, request, value(), policy) == MatchResult::DoesNotMatch)
return Result::Blocked;
// 4. Return "Allowed".
return Result::Allowed;
}
}
Reference in a new issue View git blame Copy permalink