Stowage/ladybird
2
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-10-31 13:20:59 +00:00
Code Issues Projects Releases Packages Wiki Activity
ladybird/Libraries/LibWeb/ContentSecurityPolicy/Directives/SandboxDirective.cpp
Luke Wilde 1d57df6e26 LibWeb/CSP: Implement the sandbox directive
2025-08-07 19:24:39 +02:00

45 lines
2.1 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibWeb/ContentSecurityPolicy/Directives/SandboxDirective.h>
#include <LibWeb/ContentSecurityPolicy/Policy.h>
#include <LibWeb/HTML/SandboxingFlagSet.h>
namespace Web::ContentSecurityPolicy::Directives {
GC_DEFINE_ALLOCATOR(SandboxDirective);
SandboxDirective::SandboxDirective(String name, Vector<String> value)
: Directive(move(name), move(value))
{
}
// https://w3c.github.io/webappsec-csp/#sandbox-init
Directive::Result SandboxDirective::initialization(Variant<GC::Ref<DOM::Document const>, GC::Ref<HTML::WorkerGlobalScope const>> context, GC::Ref<Policy const> policy) const
{
// 1. If policys disposition is not "enforce", or context is not a WorkerGlobalScope, then abort this algorithm.
// FIXME: File spec issue that this step doesn't specify the return value. It must be allowed, because Document
// asserts that the result of this algorithm is Allowed.
if (policy->disposition() != Policy::Disposition::Enforce || !context.has<GC::Ref<HTML::WorkerGlobalScope const>>())
return Result::Allowed;
// 2. Let sandboxing flag set be a new sandboxing flag set.
// 3. Parse a sandboxing directive using this directives value as the input, and sandboxing flag set as the output.
// FIXME: File spec issue that "parse a sandboxing directive" does not accept a set of tokens.
auto sandboxing_flag_set = HTML::parse_a_sandboxing_directive(value());
// 4. If sandboxing flag set contains either the sandboxed scripts browsing context flag or the sandboxed origin
// browsing context flag flags, return "Blocked".
// Spec Note: This will need to change if we allow Workers to be sandboxed into unique origins, which seems like a
// pretty reasonable thing to do.
if (has_flag(sandboxing_flag_set, HTML::SandboxingFlagSet::SandboxedScripts) || has_flag(sandboxing_flag_set, HTML::SandboxingFlagSet::SandboxedOrigin))
return Result::Blocked;
// 5. Return "Allowed".
return Result::Allowed;
}
}
Reference in a new issue View git blame Copy permalink