eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-04-26 01:35:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

LibWeb: Block opaque origins in CSP frame-ancestors check

Browse Source 
This matches the behavior of other engines.
This commit is contained in:
Tim Ledbetter
2026-02-15 20:09:49 +00:00
committed by Shannon Booth
parent 945d7eb452
commit 3991555439
Notes: github-actions[bot] 2026-02-21 11:31:51 +00:00 
Author: https://github.com/tcl3
Commit: https://github.com/LadybirdBrowser/ladybird/commit/3991555439d
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/7970
Reviewed-by: https://github.com/shannonbooth
3 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Libraries/LibWeb/ContentSecurityPolicy/Directives/FrameAncestorsDirective.cpp
View File

@@ -57,8 +57,10 @@ Directive::Result FrameAncestorsDirective::navigation_response_check(GC::Ref<Fet
// 2. Let origin be the result of executing the URL parser on the ASCII serialization of documents origin.
auto origin = DOMURL::parse(document->origin().serialize());
// FIXME: What do we do if origin is invalid here?
VERIFY(origin.has_value());
// AD-HOC: If the origin is opaque, serialization produces "null" which fails URL parsing.
// All major engines block in this case, as an opaque origin can never match any source expression.
if (!origin.has_value())
return Result::Blocked;
// 3. If § 6.7.2.7 Does url match source list in origin with redirect count? returns Does Not Match when
// executed upon origin, this directives value, policys self-origin, and 0, return "Blocked".