LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-11 05:25:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibWeb: Upgrade mixed requests to potentially trustworthy URLs

Browse Source 
(if appropriate)
This commit is contained in:
Jamie Mansfield 2024-05-29 19:27:27 +01:00 committed by Andreas Kling
parent 8f0d035145
commit 2159377296
Notes: sideshowbarker 2024-07-17 02:55:44 +09:00 
Author: https://github.com/jamierocks
Commit: https://github.com/LadybirdBrowser/ladybird/commit/2159377296
Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/22
3 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Userland/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
View File

@ -237,7 +237,9 @@ WebIDL::ExceptionOr<JS::GCPtr<PendingResponse>> main_fetch(JS::Realm& realm, Inf
// FIXME: 4. Run report Content Security Policy violations for request.
// FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate.
// FIXME: 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.
// 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.
MixedContent::upgrade_a_mixed_content_request_to_a_potentially_trustworthy_url_if_appropriate(request);
// 7. If should request be blocked due to a bad port, should fetching request be blocked as mixed content, or
// should request be blocked by Content Security Policy returns blocked, then set response to a network error.

30
Userland/Libraries/LibWeb/MixedContent/AbstractOperations.cpp
View File

@ -10,6 +10,36 @@
namespace Web::MixedContent {
// https://w3c.github.io/webappsec-mixed-content/#upgrade-algorithm
void upgrade_a_mixed_content_request_to_a_potentially_trustworthy_url_if_appropriate(Fetch::Infrastructure::Request& request)
{
// 1. If one or more of the following conditions is met, return without modifying request:
if (
// 1. requests URL is a potentially trustworthy URL.
SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy
// 2. requests URLs host is an IP address.
|| request.url().host().has<URL::IPv4Address>() || request.url().host().has<URL::IPv6Address>()
// 3. §4.3 Does settings prohibit mixed security contexts? returns "Does Not Restrict Mixed Security Contents" when applied to requests client.
|| does_settings_prohibit_mixed_security_contexts(request.client()) == ProhibitsMixedSecurityContexts::DoesNotRestrictMixedSecurityContexts
// 4. requests destination is not "image", "audio", or "video".
|| (request.destination() != Fetch::Infrastructure::Request::Destination::Image
&& request.destination() != Fetch::Infrastructure::Request::Destination::Audio
&& request.destination() != Fetch::Infrastructure::Request::Destination::Video)
// 5. requests destination is "image" and requests initiator is "imageset".
|| (request.destination() == Fetch::Infrastructure::Request::Destination::Image
&& request.initiator() == Fetch::Infrastructure::Request::Initiator::ImageSet)) {
return;
}
// 2. If requests URLs scheme is http, set requests URLs scheme to https, and return.
if (request.url().scheme() == "http")
request.url().set_scheme("https"_string);
}
// https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object
ProhibitsMixedSecurityContexts does_settings_prohibit_mixed_security_contexts(JS::GCPtr<HTML::EnvironmentSettingsObject> settings)
{

2
Userland/Libraries/LibWeb/MixedContent/AbstractOperations.h
View File

@ -12,6 +12,8 @@
namespace Web::MixedContent {
void upgrade_a_mixed_content_request_to_a_potentially_trustworthy_url_if_appropriate(Fetch::Infrastructure::Request&);
enum class ProhibitsMixedSecurityContexts {
ProhibitsMixedSecurityContexts,
DoesNotRestrictMixedSecurityContexts,