LibWeb/CSP: Implement the base-uri directive

Author: Lubrsi

Libraries/LibWeb/CMakeLists.txt

@@ -43,6 +43,7 @@ set(SOURCES
     Compression/CompressionStream.cpp
     Compression/DecompressionStream.cpp
     ContentSecurityPolicy/BlockingAlgorithms.cpp
+    ContentSecurityPolicy/Directives/BaseUriDirective.cpp
     ContentSecurityPolicy/Directives/ChildSourceDirective.cpp
     ContentSecurityPolicy/Directives/ConnectSourceDirective.cpp
     ContentSecurityPolicy/Directives/DefaultSourceDirective.cpp

Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.cpp

@@ -14,6 +14,7 @@
 #include <LibWeb/DOM/Element.h>
 #include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
 #include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
+#include <LibWeb/HTML/Window.h>
 #include <LibWeb/Infra/Strings.h>
 #include <LibWeb/WebAssembly/WebAssembly.h>
 
@@ -556,4 +557,53 @@ JS::ThrowCompletionOr<void> ensure_csp_does_not_block_wasm_byte_compilation(JS::
     return {};
 }
 
+// https://w3c.github.io/webappsec-csp/#allow-base-for-document
+Directives::Directive::Result is_base_allowed_for_document(JS::Realm& realm, URL::URL const& base, GC::Ref<DOM::Document const> document)
+{
+    // 1. For each policy of document’s global object’s csp list:
+    VERIFY(document->window());
+    auto csp_list = PolicyList::from_object(*document->window());
+    VERIFY(csp_list);
+    for (auto const policy : csp_list->policies()) {
+        // 1. Let source list be null.
+        // NOTE: Not necessary.
+
+        // 2. If a directive whose name is "base-uri" is present in policy’s directive set, set source list to that
+        //    directive’s value.
+        auto maybe_base_uri = policy->directives().find_if([](auto const& directive) {
+            return directive->name() == Directives::Names::BaseUri;
+        });
+
+        // 3. If source list is null, skip to the next policy.
+        if (maybe_base_uri.is_end())
+            continue;
+
+        auto const& source_list = (*maybe_base_uri)->value();
+
+        // 4. If the result of executing § 6.7.2.7 Does url match source list in origin with redirect count? on base,
+        //    source list, policy’s self-origin, and 0 is "Does Not Match":
+        // Spec Note: We compare against the fallback base URL in order to deal correctly with things like an iframe
+        //            srcdoc Document which has been sandboxed into an opaque origin.
+        if (Directives::does_url_match_source_list_in_origin_with_redirect_count(base, source_list, policy->self_origin(), 0) == Directives::MatchResult::DoesNotMatch) {
+            // 1. Let violation be the result of executing § 2.4.1 Create a violation object for global, policy, and
+            //    directive on document’s global object, policy, and "base-uri".
+            auto base_uri_string = Directives::Names::BaseUri.to_string();
+            auto violation = Violation::create_a_violation_object_for_global_policy_and_directive(realm, document->window(), policy, base_uri_string);
+
+            // 2. Set violation’s resource to "inline".
+            violation->set_resource(Violation::Resource::Inline);
+
+            // 3. Execute § 5.5 Report a violation on violation.
+            violation->report_a_violation(realm);
+
+            // 4. If policy’s disposition is "enforce", return "Blocked".
+            if (policy->disposition() == Policy::Disposition::Enforce)
+                return Directives::Directive::Result::Blocked;
+        }
+    }
+
+    // 2. Return "Allowed".
+    return Directives::Directive::Result::Allowed;
+}
+
 }

Libraries/LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h

@@ -7,6 +7,7 @@
 #pragma once
 
 #include <LibJS/Runtime/VM.h>
+#include <LibURL/Forward.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
 
 namespace Web::ContentSecurityPolicy {
@@ -27,4 +28,6 @@ Directives::Directive::Result should_elements_inline_type_behavior_be_blocked_by
 JS::ThrowCompletionOr<void> ensure_csp_does_not_block_string_compilation(JS::Realm& realm, ReadonlySpan<String> parameter_strings, StringView body_string, StringView code_string, JS::CompilationType compilation_type, ReadonlySpan<JS::Value> parameter_args, JS::Value body_arg);
 JS::ThrowCompletionOr<void> ensure_csp_does_not_block_wasm_byte_compilation(JS::Realm&);
 
+[[nodiscard]] Directives::Directive::Result is_base_allowed_for_document(JS::Realm&, URL::URL const& base, GC::Ref<DOM::Document const> document);
+
 }

Libraries/LibWeb/ContentSecurityPolicy/Directives/BaseUriDirective.cpp

@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/ContentSecurityPolicy/Directives/BaseUriDirective.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+GC_DEFINE_ALLOCATOR(BaseUriDirective);
+
+BaseUriDirective::BaseUriDirective(String name, Vector<String> value)
+    : Directive(move(name), move(value))
+{
+}
+
+}

Libraries/LibWeb/ContentSecurityPolicy/Directives/BaseUriDirective.h

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <LibWeb/ContentSecurityPolicy/Directives/Directive.h>
+
+namespace Web::ContentSecurityPolicy::Directives {
+
+// https://w3c.github.io/webappsec-csp/#directive-base-uri
+class BaseUriDirective final : public Directive {
+    GC_CELL(BaseUriDirective, Directive)
+    GC_DECLARE_ALLOCATOR(BaseUriDirective);
+
+public:
+    virtual ~BaseUriDirective() = default;
+
+private:
+    BaseUriDirective(String name, Vector<String> value);
+};
+
+}

Libraries/LibWeb/ContentSecurityPolicy/Directives/DirectiveFactory.cpp

@@ -5,6 +5,7 @@
  */
 
 #include <LibJS/Runtime/Realm.h>
+#include <LibWeb/ContentSecurityPolicy/Directives/BaseUriDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ChildSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/ConnectSourceDirective.h>
 #include <LibWeb/ContentSecurityPolicy/Directives/DefaultSourceDirective.h>
@@ -31,6 +32,9 @@ namespace Web::ContentSecurityPolicy::Directives {
 
 GC::Ref<Directive> create_directive(GC::Heap& heap, String name, Vector<String> value)
 {
+    if (name == Names::BaseUri)
+        return heap.allocate<BaseUriDirective>(move(name), move(value));
+
     if (name == Names::ChildSrc)
         return heap.allocate<ChildSourceDirective>(move(name), move(value));
 

Libraries/LibWeb/Forward.h

@@ -136,6 +136,7 @@ struct SerializedPolicy;
 
 namespace Web::ContentSecurityPolicy::Directives {
 
+class BaseUriDirective;
 class ChildSourceDirective;
 class ConnectSourceDirective;
 class DefaultSourceDirective;

Libraries/LibWeb/HTML/HTMLBaseElement.cpp

@@ -5,6 +5,7 @@
  */
 
 #include <LibWeb/Bindings/HTMLBaseElementPrototype.h>
+#include <LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h>
 #include <LibWeb/DOM/Document.h>
 #include <LibWeb/HTML/HTMLBaseElement.h>
 
@@ -80,11 +81,14 @@ void HTMLBaseElement::set_the_frozen_base_url()
     auto url_record = document.fallback_base_url().complete_url(href);
 
     // 3. If any of the following are true:
-    // - urlRecord is failure;
-    // - urlRecord's scheme is "data" or "javascript"; or
-    // FIXME: - running Is base allowed for Document? on urlRecord and document returns "Blocked",
-    // then set element's frozen base URL to document's fallback base URL and return.
-    if (!url_record.has_value() || url_record->scheme() == "data" || url_record->scheme() == "javascript") {
+    //    - urlRecord is failure;
+    //    - urlRecord's scheme is "data" or "javascript"; or
+    //    - running Is base allowed for Document? on urlRecord and document returns "Blocked",
+    if (!url_record.has_value()
+        || url_record->scheme() == "data"
+        || url_record->scheme() == "javascript"
+        || ContentSecurityPolicy::is_base_allowed_for_document(realm(), url_record.value(), document) == ContentSecurityPolicy::Directives::Directive::Result::Blocked) {
+        // then set element's frozen base URL to document's fallback base URL and return.
         m_frozen_base_url = document.fallback_base_url();
         return;
     }