LibWeb: Finish algorithm to block trusted type policy creation with CSP

This is the mechanism that should pages to determine what kind of policies can be created on their domains mostly based around the HTTP headers the server responds with.
Author: https://github.com/tete17 Commit: https://github.com/LadybirdBrowser/ladybird/commit/966e00fd69d Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5668 Reviewed-by: https://github.com/ADKaster Reviewed-by: https://github.com/Lubrsi ✅ Reviewed-by: https://github.com/tcl3
2026-05-05 06:32:30 +02:00 · 2025-07-31 10:57:02 +02:00 · 2025-08-11 11:23:27 +00:00
parent 6398e771a3
commit 966e00fd69
8 changed files with 111 additions and 4 deletions
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/KeywordTrustedTypes.cpp
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/KeywordTrustedTypes.cpp
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025, Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/KeywordTrustedTypes.h>
+
+namespace Web::ContentSecurityPolicy::Directives::KeywordTrustedTypes {
+
+#define __ENUMERATE_KEYWORD_TRUSTED_TYPE(name, value) \
+    FlyString name = value##_fly_string;
+ENUMERATE_KEYWORD_TRUSTED_TYPES
+#undef __ENUMERATE_KEYWORD_TRUSTED_TYPE
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/KeywordTrustedTypes.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/KeywordTrustedTypes.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2025, Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/FlyString.h>
+
+namespace Web::ContentSecurityPolicy::Directives::KeywordTrustedTypes {
+
+// https://www.w3.org/TR/trusted-types/#tt-keyword
+#define ENUMERATE_KEYWORD_TRUSTED_TYPES                                     \
+    __ENUMERATE_KEYWORD_TRUSTED_TYPE(AllowDuplicates, "'allow-duplicates'") \
+    __ENUMERATE_KEYWORD_TRUSTED_TYPE(None, "'none'")                        \
+    __ENUMERATE_KEYWORD_TRUSTED_TYPE(WildCard, "*")
+
+#define __ENUMERATE_KEYWORD_TRUSTED_TYPE(name, value) extern FlyString name;
+ENUMERATE_KEYWORD_TRUSTED_TYPES
+#undef __ENUMERATE_KEYWORD_TRUSTED_TYPE
+
+}
--- a/Libraries/LibWeb/ContentSecurityPolicy/Directives/Names.h
+++ b/Libraries/LibWeb/ContentSecurityPolicy/Directives/Names.h
@@ -32,6 +32,7 @@ namespace Web::ContentSecurityPolicy::Directives::Names {
    __ENUMERATE_DIRECTIVE_NAME(StyleSrc, "style-src")             \
    __ENUMERATE_DIRECTIVE_NAME(StyleSrcElem, "style-src-elem")    \
    __ENUMERATE_DIRECTIVE_NAME(StyleSrcAttr, "style-src-attr")    \
+    __ENUMERATE_DIRECTIVE_NAME(TrustedTypes, "trusted-types")     \
    __ENUMERATE_DIRECTIVE_NAME(WebRTC, "webrtc")                  \
    __ENUMERATE_DIRECTIVE_NAME(WorkerSrc, "worker-src")