LibWeb/CSP: Implement the child-src directive

Author: https://github.com/Lubrsi Commit: https://github.com/LadybirdBrowser/ladybird/commit/5a1de8a187e Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5503
2026-04-26 01:35:08 +02:00 · 2024-12-03 18:29:41 +00:00 · 2025-07-19 05:16:19 +00:00
parent c5748437db
commit 5a1de8a187
5 changed files with 90 additions and 0 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.cpp
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/Names.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(ChildSourceDirective);
+
+ChildSourceDirective::ChildSourceDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+// https://w3c.github.io/webappsec-csp/#child-src-pre-request
+Directive::Result ChildSourceDirective::pre_request_check(GC::Heap& heap, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, child-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ChildSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. Return the result of executing the pre-request check for the directive whose name is name on request and
+    //    policy, using this directive’s value for the comparison.
+    auto directive = create_directive(heap, name->to_string(), value());
+    return directive->pre_request_check(heap, request, policy);
+}
+
+// https://w3c.github.io/webappsec-csp/#child-src-post-request
+Directive::Result ChildSourceDirective::post_request_check(GC::Heap& heap, GC::Ref<Fetch::Infrastructure::Request const> request, GC::Ref<Fetch::Infrastructure::Response const> response, GC::Ref<Policy const> policy) const
+{
+    // 1. Let name be the result of executing § 6.8.1 Get the effective directive for request on request.
+    auto name = get_the_effective_directive_for_request(request);
+
+    // 2. If the result of executing § 6.8.4 Should fetch directive execute on name, child-src and policy is "No",
+    //    return "Allowed".
+    if (should_fetch_directive_execute(name, Names::ChildSrc, policy) == ShouldExecute::No)
+        return Result::Allowed;
+
+    // 3. Return the result of executing the post-request check for the directive whose name is name on request,
+    //    response, and policy, using this directive’s value for the comparison.
+    auto directive = create_directive(heap, name->to_string(), value());
+    return directive->post_request_check(heap, request, response, policy);
+}
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-child-src
+class ChildSourceDirective final : public Directive {
+    GC_CELL(ChildSourceDirective, Directive)
+    GC_DECLARE_ALLOCATOR(ChildSourceDirective);
+
+public:
+    virtual ~ChildSourceDirective() = default;
+
+    virtual Result pre_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Policy const>) const override;
+    virtual Result post_request_check(GC::Heap&, GC::Ref<Fetch::Infrastructure::Request const>, GC::Ref<Fetch::Infrastructure::Response const>, GC::Ref<Policy const>) const override;
+
+private:
+    ChildSourceDirective(String name, Vector<String> value);
+};
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp
@@ -5,6 +5,7 @@
 */

 #include <LibJS/Runtime/Realm.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
@@ -28,6 +29,9 @@ namespace Web::ContentSecurityPolicy::Directives {

 GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String> value)
 {
+    if (name == Names::ChildSrc)
+        return heap.allocate<ChildSourceDirective>(move(name), move(value));
+
    if (name == Names::ConnectSrc)
        return heap.allocate<ConnectSourceDirective>(move(name), move(value));