Merge #34

34: Allow getting the document's sandboxing flag set r=notriddle a=notriddle Part of #7 Co-authored-by: Michael Howell <michael@notriddle.com>
rust-ammonia · Mar 18, 2022 · e6c2c6f · e6c2c6f
2 parents 16323bc + 5e69382
commit e6c2c6f
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -308,6 +308,17 @@ impl CspList {
         }
         return (Allowed, violations);
     }
+    pub fn get_sandboxing_flag_set_for_document(&self) -> Option<SandboxingFlagSet> {
+        self.0
+            .iter()
+            .flat_map(|policy| {
+                policy.directive_set
+                    .iter()
+                    .find(|directive| directive.name == "sandbox")
+                    .and_then(|directive| directive.get_sandboxing_flag_set_for_document(policy))
+            })
+            .next()
+    }
 }
 
 #[derive(Clone, Debug)]
@@ -934,6 +945,20 @@ impl Directive {
             _ => Allowed
         }
     }
+    /// https://www.w3.org/TR/CSP/#sandbox-init
+    pub fn get_sandboxing_flag_set_for_document(&self, policy: &Policy) -> Option<SandboxingFlagSet> {
+        use PolicyDisposition::*;
+        match &self.name[..] {
+            "sandbox" => {
+                if policy.disposition != Enforce {
+                    None
+                } else {
+                    Some(parse_a_sandboxing_directive(&self.value[..]))
+                }
+            },
+            _ => None,
+        }
+    }
 }
 
 /// https://www.w3.org/TR/CSP/#effective-directive-for-inline-check

diff --git a/tests/sandbox.rs b/tests/sandbox.rs
@@ -1,5 +1,6 @@
 extern crate content_security_policy;
 use content_security_policy::*;
+use content_security_policy::sandboxing_directive::SandboxingFlagSet;
 #[test]
 fn sandbox_test_block() {
     let csp_list = CspList::parse("sandbox", PolicySource::Header, PolicyDisposition::Enforce);
@@ -89,3 +90,19 @@ fn sandbox_test_allow_images() {
     );
     assert_eq!(check_result, CheckResult::Allowed);
 }
+
+#[test]
+fn sandbox_document_flags() {
+    let policy = CspList::parse("sandbox", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all()), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-popups", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-forms", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_FORMS_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox; connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all()), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-popups; connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(None, policy.get_sandboxing_flag_set_for_document());
+}