ladybird/Libraries/LibWeb/Fetch/Infrastructure/NoSniffBlocking.cpp

/*
 * Copyright (c) 2022-2023, Linus Groh <linusg@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibWeb/Fetch/Infrastructure/HTTP/Headers.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
#include <LibWeb/Fetch/Infrastructure/NoSniffBlocking.h>
#include <LibWeb/Infra/Strings.h>

namespace Web::Fetch::Infrastructure {

// https://fetch.spec.whatwg.org/#determine-nosniff
bool determine_nosniff(HeaderList const& list)
{
    // 1. Let values be the result of getting, decoding, and splitting `X-Content-Type-Options` from list.
    auto values = list.get_decode_and_split("X-Content-Type-Options"sv.bytes());

    // 2. If values is null, then return false.
    if (!values.has_value())
        return false;

    // 3. If values[0] is an ASCII case-insensitive match for "nosniff", then return true.
    if (!values->is_empty() && values->at(0).equals_ignoring_ascii_case("nosniff"sv))
        return true;

    // 4. Return false.
    return false;
}

// https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?
RequestOrResponseBlocking should_response_to_request_be_blocked_due_to_nosniff(Response const& response, Request const& request)
{
    // 1. If determine nosniff with response’s header list is false, then return allowed.
    if (!determine_nosniff(response.header_list()))
        return RequestOrResponseBlocking::Allowed;

    // 2. Let mimeType be the result of extracting a MIME type from response’s header list.
    auto mime_type = response.header_list()->extract_mime_type();

    // 3. Let destination be request’s destination.
    auto const& destination = request.destination();

    // 4. If destination is script-like and mimeType is failure or is not a JavaScript MIME type, then return blocked.
    if (request.destination_is_script_like() && (!mime_type.has_value() || !mime_type->is_javascript()))
        return RequestOrResponseBlocking::Blocked;

    // 5. If destination is "style" and mimeType is failure or its essence is not "text/css", then return blocked.
    if (destination == Request::Destination::Style && (!mime_type.has_value() || mime_type->essence() != "text/css"sv))
        return RequestOrResponseBlocking::Blocked;

    // 6. Return allowed.
    return RequestOrResponseBlocking::Allowed;
}

}
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								/*
-												LibWeb/Fetch: Propagate OOM errors from HeaderList::extract_mime_type()

											
										
										
											2023-03-03 09:27:51 +00:00
+								 * Copyright (c) 2022-2023, Linus Groh <linusg@serenityos.org>
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								 *
 								 * SPDX-License-Identifier: BSD-2-Clause
 								 */
 								#include <LibWeb/Fetch/Infrastructure/HTTP/Headers.h>
 								#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
 								#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
 								#include <LibWeb/Fetch/Infrastructure/NoSniffBlocking.h>
-												LibWeb: Use is_ascii_case_insensitive_match() where the spec says to

											
										
										
											2023-02-17 15:21:32 +00:00
+								#include <LibWeb/Infra/Strings.h>
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
 								namespace Web::Fetch::Infrastructure {
 								// https://fetch.spec.whatwg.org/#determine-nosniff
-												LibWeb: Remove OOM propagation from Fetch::Infrastructure::Headers

											
										
										
											2024-04-26 13:24:20 -04:00
+								bool determine_nosniff(HeaderList const& list)
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								{
 								    // 1. Let values be the result of getting, decoding, and splitting `X-Content-Type-Options` from list.
-												LibWeb: Remove OOM propagation from Fetch::Infrastructure::Headers

											
										
										
											2024-04-26 13:24:20 -04:00
+								    auto values = list.get_decode_and_split("X-Content-Type-Options"sv.bytes());
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
 								    // 2. If values is null, then return false.
 								    if (!values.has_value())
 								        return false;
 								    // 3. If values[0] is an ASCII case-insensitive match for "nosniff", then return true.
-												LibWeb: Prefer using equals_ignoring_ascii_case

Which has an optmization if both size of the string being passed
through are FlyStrings, which actually ends up being the case
in some places during selector matching comparing attribute names.
Instead of maintaining more overloads of
Infra::is_ascii_case_insensitive_match, switch
everything over to equals_ignoring_ascii_case instead.

											
										
										
											2025-05-18 15:04:56 +12:00
+								    if (!values->is_empty() && values->at(0).equals_ignoring_ascii_case("nosniff"sv))
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								        return true;
 								    // 4. Return false.
 								    return false;
 								}
 								// https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?
-												LibWeb: Remove OOM propagation from Fetch::Infrastructure::Headers

											
										
										
											2024-04-26 13:24:20 -04:00
+								RequestOrResponseBlocking should_response_to_request_be_blocked_due_to_nosniff(Response const& response, Request const& request)
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								{
 								    // 1. If determine nosniff with response’s header list is false, then return allowed.
-												LibWeb: Remove OOM propagation from Fetch::Infrastructure::Headers

											
										
										
											2024-04-26 13:24:20 -04:00
+								    if (!determine_nosniff(response.header_list()))
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
+								        return RequestOrResponseBlocking::Allowed;
 								    // 2. Let mimeType be the result of extracting a MIME type from response’s header list.
-												LibWeb: Remove OOM propagation from Fetch::Infrastructure::Headers

											
										
										
											2024-04-26 13:24:20 -04:00
+								    auto mime_type = response.header_list()->extract_mime_type();
-												LibWeb: Implement 'Should response be blocked due to nosniff?' AO

											
										
										
											2022-10-23 21:58:18 +01:00
 								    // 3. Let destination be request’s destination.
 								    auto const& destination = request.destination();
 								    // 4. If destination is script-like and mimeType is failure or is not a JavaScript MIME type, then return blocked.
 								    if (request.destination_is_script_like() && (!mime_type.has_value() || !mime_type->is_javascript()))
 								        return RequestOrResponseBlocking::Blocked;
 								    // 5. If destination is "style" and mimeType is failure or its essence is not "text/css", then return blocked.
 								    if (destination == Request::Destination::Style && (!mime_type.has_value() || mime_type->essence() != "text/css"sv))
 								        return RequestOrResponseBlocking::Blocked;
 								    // 6. Return allowed.
 								    return RequestOrResponseBlocking::Allowed;
 								}
 								}