Skip to content

Commit

Permalink
Merge pull request #38 from bc-universe/master
Browse files Browse the repository at this point in the history 
Add updated logic for policy violation
  • Loading branch information
@notriddle
notriddle authored Feb 12, 2024
2 parents 1af73bc + 58b8ad1 commit 8fe2c27
Showing 1 changed file with 85 additions and 0 deletions.
85 changes: 85 additions & 0 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ impl Policy {
}
/// https://www.w3.org/TR/CSP/#does-request-violate-policy
pub fn does_request_violate_policy(&self, request: &Request) -> Violates {
if request.initiator == Initiator::Prefetch {
return self.does_resource_hint_violate_policy(request);
}

let mut violates = Violates::DoesNotViolate;
for directive in &self.directive_set {
let result = directive.pre_request_check(request, self);
Expand All @@ -139,6 +143,25 @@ impl Policy {
}
violates
}

/// https://www.w3.org/TR/CSP/#does-resource-hint-violate-policy
pub fn does_resource_hint_violate_policy(&self, request: &Request) -> Violates {
let default_directive = &self.directive_set.iter()
.find(|x| x.name == "default-src");

if default_directive.is_none() {
return Violates::DoesNotViolate;
}

for directive in &self.directive_set {
let result = directive.pre_request_check(request, self);
if result == CheckResult::Allowed {
return Violates::DoesNotViolate;
}
}

return Violates::Directive(default_directive.unwrap().clone());
}
}

#[derive(Clone, Debug)]
Expand Down Expand Up @@ -1598,4 +1621,66 @@ mod test {
};
assert!(!p.is_valid());
}

#[test]
pub fn prefetch_request_does_not_violate_policy() {
let request = Request {
url: Url::parse("https://www.notriddle.com/script.js").unwrap(),
origin: Origin::Tuple("https".to_string(), url::Host::Domain("notriddle.com".to_owned()), 443),
redirect_count: 0,
destination: Destination::Script,
initiator: Initiator::Prefetch,
nonce: String::new(),
integrity_metadata: String::new(),
parser_metadata: ParserMetadata::None,
};

let p = Policy::parse("child-src 'self'", PolicySource::Header, PolicyDisposition::Enforce);

let violation_result = p.does_request_violate_policy(&request);

assert!(violation_result == Violates::DoesNotViolate);
}

#[test]
pub fn prefetch_request_violates_policy() {
let request = Request {
url: Url::parse("https://www.notriddle.com/script.js").unwrap(),
origin: Origin::Tuple("https".to_string(), url::Host::Domain("notriddle.com".to_owned()), 443),
redirect_count: 0,
destination: Destination::Script,
initiator: Initiator::Prefetch,
nonce: String::new(),
integrity_metadata: String::new(),
parser_metadata: ParserMetadata::None,
};

let p = Policy::parse("default-src 'none' ", PolicySource::Header, PolicyDisposition::Enforce);

let violation_result = p.does_request_violate_policy(&request);

let expected_result = Violates::Directive(Directive { name: String::from("default-src"), value: vec![String::from("'none'")] });

assert!(violation_result == expected_result);
}

#[test]
pub fn prefetch_request_is_allowed_by_directive() {
let request = Request {
url: Url::parse("https://www.notriddle.com/script.js").unwrap(),
origin: Origin::Tuple("https".to_string(), url::Host::Domain("notriddle.com".to_owned()), 443),
redirect_count: 0,
destination: Destination::Script,
initiator: Initiator::Prefetch,
nonce: String::new(),
integrity_metadata: String::new(),
parser_metadata: ParserMetadata::None,
};

let p = Policy::parse("default-src 'none'; child-src 'self'", PolicySource::Header, PolicyDisposition::Enforce);

let violation_result = p.does_request_violate_policy(&request);

assert!(violation_result == Violates::DoesNotViolate);
}
}

0 comments on commit 8fe2c27

Please sign in to comment.