LibWeb/CSP: Implement source expression parsing, URL matching and support for setting CSP by the meta element and prepare stylesheets to work with style-src #4367
Conversation
Libraries/LibWeb/ContentSecurityPolicy/Directives/KeywordSources.h
Outdated
Show resolved
Hide resolved
Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveOperations.cpp
Outdated
Show resolved
Hide resolved
| policy->remove_directive({}, ContentSecurityPolicy::Directives::Names::FrameAncestors); | ||
| policy->remove_directive({}, ContentSecurityPolicy::Directives::Names::Sandbox); | ||
|
|
||
| // FIXME: File spec issue stating the policy's self origin isn't set here. |
There was a problem hiding this comment.
Opened an issue here: whatwg/html#11389
| // 6. If expression contains a non-empty path-part, and redirect count is 0, then: | ||
| if (host_source_parse_result->path_part.has_value() && !host_source_parse_result->path_part->is_empty() && redirect_count == 0) { | ||
| // 1. Let path be the resulting of joining url’s path on the U+002F SOLIDUS character (/). | ||
| // FIXME: File spec issue that if path_part is only '/', then plainly joining will always fail to match. | ||
| // It should likely use the URL path serializer instead. |
There was a problem hiding this comment.
Opened an issue here: w3c/webappsec-csp#772
github-actions
bot
added
the
conflicts
|
Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions! |
|
This pull request has been closed because it has not had recent activity. Feel free to open a new pull request if you wish to still contribute these changes. Thank you for your contributions! |
github-actions
bot
removed
the
conflicts
|
This seems mostly good to go, just missing filing (and referencing) two spec issues? |
Done :^) |
This will be used by Content Security Policy to consume the next character, if it matches a whole range of characters, such as is_ascii_alpha.
This follows the implementation method that was used for the implementation of ISO8601 parsing for Temporal in LibJS. Doing it this way allows us to have state transactions, and thus pick out individual parse nodes that the specification steps want to use.
These are used by all the *-src attributes, to check if a given URL, origin and redirect count matches a source list entry specified in the *-src attribute's values, if it's allowed to.
Part 7 of splitting up #2854
Final bit of prep work before implementing the directives. See individual commits.