LibWeb/CSP: Implement the object-src directive

2025-12-06 12:20:00 +01:00 · 2024-11-29 12:10:14 +00:00 · 2024-11-29 12:10:14 +00:00 · 985a481b5a
commit 985a481b5a
parent 1b12aa4d8e
5 changed files with 95 additions and 0 deletions
--- a/Libraries/LibWeb/CMakeLists.txt
+++ b/Libraries/LibWeb/CMakeLists.txt
@ -47,6 +47,7 @@ set(SOURCES
    ContentSecurityPolicy/Directives/ManifestSourceDirective.cpp
    ContentSecurityPolicy/Directives/MediaSourceDirective.cpp
    ContentSecurityPolicy/Directives/Names.cpp
+    ContentSecurityPolicy/Directives/ObjectSourceDirective.cpp
    ContentSecurityPolicy/Directives/SerializedDirective.cpp
    ContentSecurityPolicy/Directives/SourceExpression.cpp
    ContentSecurityPolicy/Policy.cpp
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
@ -14,6 +14,7 @@
 #include <LibWeb/ContentSecurityPolicy/Directives/ManifestSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/MediaSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.h>

 namespace Web::ContentSecurityPolicy::Directives {

@ -37,6 +38,9 @@ GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String>
    if (name == Names::MediaSrc)
        return heap.allocate<MediaSourceDirective>(move(name), move(value));

+    if (name == Names::ObjectSrc)
+        return heap.allocate<ObjectSourceDirective>(move(name), move(value));
+
    return heap.allocate<Directive>(move(name), move(value));
 }

--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.cpp
@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(ObjectSourceDirective);
+
+ObjectSourceDirective::ObjectSourceDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+// https://w3c.github.io/webappsec-csp/#object-src-pre-request
+Directive::Result ObjectSourceDirective::pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, object-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ObjectSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.5 Does request match source list? on request, this directive’s value,
+    //    and policy, is "Does Not Match", return "Blocked".
+    if (does_request_match_source_list(request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 4. Return "Allowed".
+    return Result::Allowed;
+}
+
+// https://w3c.github.io/webappsec-csp/#object-src-post-request
+Directive::Result ObjectSourceDirective::post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, object-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ObjectSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. If the result of executing § 6.7.2.6 Does response to request match source list? on response, request, this
+    //    directive’s value, and policy, is "Does Not Match", return "Blocked".
+    if (does_response_match_source_list(response, request, value(), policy) == MatchResult::DoesNotMatch)
+        return Result::Blocked;
+
+    // 4. Return "Allowed".
+    return Result::Allowed;
+}
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ObjectSourceDirective.h
@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-object-src
+class ObjectSourceDirective final : public Directive {
+    GC_CELL(ObjectSourceDirective, Directive)
+    GC_DECLARE_ALLOCATOR(ObjectSourceDirective);
+
+public:
+    virtual ~ObjectSourceDirective() = default;
+
+    virtual Result pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Policy const>) const override;
+    virtual Result post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Fetch::Infrastructure::Response const>, GC::Ref<Policy const>) const override;
+
+private:
+    ObjectSourceDirective(String name, Vector<String> value);
+};
+
+}
--- a/Libraries/LibWeb/Forward.h
+++ b/Libraries/LibWeb/Forward.h
@ -137,6 +137,7 @@ class FrameSourceDirective;
 class ImageSourceDirective;
 class ManifestSourceDirective;
 class MediaSourceDirective;
+class ObjectSourceDirective;
 struct SerializedDirective;

 }