LibWeb: Implement Content Security Policy Level 3 #2854
+7,701
−381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shannonbooth
reviewed
Dec 9, 2024
| .fetch_client = relevant_settings_object(), | ||
| .source_policy_container = m_policy_container | ||
| }; | ||
| auto snapshot_params = realm().create<HTML::SourceSnapshotParams>(); |
There was a problem hiding this comment.
Just something I noticed - we use realm.create<T> here and heap().allocate<T> in some other places. There is no realm initialization needed for this thing, so I wonder if we should just make it a GC::Cell instead of a JS::Cell. That way I guess this would give a compile error. Though, this doesn't solve that problem the other way around for a JS::Cell not having realm.create<T> called on it🤔
Lubrsi
force-pushed
the
content-security-policy
branch
5 times, most recently
from
b5f6320 to
e8b5745
Compare
trflynn89
reviewed
Dec 10, 2024
Lubrsi
force-pushed
the
content-security-policy
branch
from
e8b5745 to
19d3b80
Compare
github-actions
bot
added
the
conflicts
Lubrsi
force-pushed
the
content-security-policy
branch
from
19d3b80 to
031928e
Compare
github-actions
bot
removed
the
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
github-actions
bot
added
the
conflicts
Lubrsi
force-pushed
the
content-security-policy
branch
from
031928e to
cb0407d
Compare
github-actions
bot
added
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
Lubrsi
force-pushed
the
content-security-policy
branch
from
cb0407d to
0161a98
Compare
github-actions
bot
added
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
Lubrsi
force-pushed
the
content-security-policy
branch
from
0161a98 to
b6e07d9
Compare
github-actions
bot
added
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
This is required to store Content Security Policies, as their Directives are implemented as subclasses with overridden virtual functions. Thus, they cannot be stored as generic Directive classes, as it'll lose the ability to call overridden functions when they are copied.
These form the basis of Content Security Policy. A policy is a collection of directives that are parsed from either the Content-Security-Policy(-Report-Only) HTTP header, or the `<meta>` element. The directives are what restrict the operations can be performed in the current global execution context. For example, "frame-ancestors: none" tells us to prevent the page from being loaded in an embedded context, such as `<iframe>`. You can see it a bit like OpenBSD's pledge() functionality, but for the web platform: https://man.openbsd.org/pledge.2
This allows us to parse the Content-Security-Policy header and Referrer-Policy header from navigation responses and actually allow them to start having an effect.
This currently doesn't do anything, as the font loading code is using ResourceLoader directly. See LadybirdBrowser#2634.
This is required for CSP to ignore the nonce attribute to prevent duplicate attributes hijacking the attribute. See https://w3c.github.io/webappsec-csp/#security-nonce-hijacking
This is an active proposal at stage 3 of the TC39 proposal process. See: https://tc39.es/proposal-dynamic-code-brand-checks/ See: https://github.com/tc39/proposal-dynamic-code-brand-checks This proposal essentially adds support for the TrustedScript type from the Trusted Types specification to eval and Function. This in turn pipes support for the type into the CSP hook to check if the CSP allows dynamic code compilation. However, it currently doesn't support ShadowRealms, so the implementation here is a close approximation, using PerformEval as the basis. See: tc39/proposal-dynamic-code-brand-checks#19 This is required to support the new function signature for the CSP hook, and will allow us to slot in Trusted Types support in the future.
This doesn't do anything by itself, the report a violation algorithm will handle this directive itself.
This doesn't do anything by itself, the report a violation algorithm will handle this directive itself.
This fixes the frame-ancestors WPT tests from crashing when an iframe is blocked from loading. This is because it would get an undefined location.href from the cross-origin iframe, which causes a crash as it expects it to be there.
Lubrsi
force-pushed
the
content-security-policy
branch
from
b6e07d9 to
9639b26
Compare
github-actions
bot
added
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements the core of Content Security Policy Level 3. This does not implement directives outside of the base specification yet, such as
trusted-types,require-trusted-types-forandupgrade-insecure-requests. Additionally, thereport-todirective does not have an effect yet, as it relies on implementing the Reporting specification.There are several implementations and fixes done on the side to support this implementation, such as implementing a new GenericLexer method and a new TC39 Stage 3 proposal called "Dynamic Code Brand Checks".
There are several specification issues that I found whilst implementing this. They are marked with FIXMEs through this change set. I haven't filed them yet as there are many and could already be known about, as there are 178 open issues on their GitHub repository. However, I thought I'd get this open for review before I start filing spec issues :^).
Additionally, this does not import any WPT tests, as it relies on the WPT server to check CSP reports, and it does some cross-origin resource requesting that confuses the WPT importer, as it'll treat such requests as part of the path of the wpt.live origin, instead of being a different origin entirely. This PR is big enough as is, without going into fixing the WPT importer.