content_security_policy/
sandboxing_directive.rs

1#[cfg(feature = "serde")] use serde::{Deserialize, Serialize};
2use bitflags::bitflags;
3
4bitflags!{
5    #[derive(Clone, Copy, Debug, PartialEq, Eq)]
6    #[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
7    pub struct SandboxingFlagSet: u32 {
8        const SANDBOXED_NAVIGATION_BROWSING_CONTEXT_FLAG = 0x00000001;
9        const SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG = 0x00000002;
10        const SANDBOXED_TOP_LEVEL_NAVIGATION_WITHOUT_USER_ACTIVATION_BROWSING_CONTEXT_FLAG
11            = 0x00000004;
12        const SANDBOXED_TOP_LEVEL_NAVIGATION_WITH_USER_ACTIVATION_BROWSING_CONTEXT_FLAG
13            = 0x00000008;
14        const SANDBOXED_PLUGINS_BROWSING_CONTEXT_FLAG = 0x00000010;
15        const SANDBOXED_ORIGIN_BROWSING_CONTEXT_FLAG = 0x00000020;
16        const SANDBOXED_FORMS_BROWSING_CONTEXT_FLAG = 0x00000040;
17        const SANDBOXED_POINTER_LOCK_BROWSING_CONTEXT_FLAG = 0x00000080;
18        const SANDBOXED_SCRIPTS_BROWSING_CONTEXT_FLAG = 0x00000100;
19        const SANDBOXED_AUTOMATIC_FEATURES_BROWSING_CONTEXT_FLAG = 0x00000200;
20        const SANDBOXED_STORAGE_AREA_URLS_FLAG = 0x00000400;
21        const SANDBOXED_DOCUMENT_DOMAIN_BROWSING_CONTEXT_FLAG = 0x00000800;
22        const SANDBOX_PROPOGATES_TO_AUXILIARY_BROWSING_CONTEXTS_FLAG = 0x00001000;
23        const SANDBOXED_MODALS_FLAG = 0x00002000;
24        const SANDBOXED_ORIENTATION_LOCK_BROWSING_CONTEXT_FLAG = 0x00004000;
25        const SANDBOXED_PRESENTATION_BROWSING_CONTEXT_FLAG = 0x00008000;
26        const SANDBOXED_DOWNLOADS_BROWSING_CONTEXT_FLAG = 0x0010000;
27        const SANBOXED_CUSTOM_PROTOCOLS_NAVIGATION_BROWSING_CONTEXT_FLAG = 0x0020000;
28    }
29}
30
31/// <https://html.spec.whatwg.org/multipage/#parse-a-sandboxing-directive>
32pub fn parse_a_sandboxing_directive(tokens: &[String]) -> SandboxingFlagSet {
33    // Step 1. Split input on ASCII whitespace, to obtain tokens.
34    //
35    // Performed by callers
36    // Step 2. Let output be empty.
37    //
38    // We inverse the logic here where we add all and then remove when required.
39    // This is why we don't need to explicitly add some flags, separate from the
40    // specification
41    let mut output = SandboxingFlagSet::all();
42    // Step 3. Add the following flags to output:
43    for token in tokens {
44        let remove = match &token[..] {
45            // The sandboxed auxiliary navigation browsing context flag, unless tokens contains the allow-popups keyword.
46            "allow-popups" =>
47                SandboxingFlagSet::SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG |
48                SandboxingFlagSet::SANBOXED_CUSTOM_PROTOCOLS_NAVIGATION_BROWSING_CONTEXT_FLAG,
49            // The sandboxed top-level navigation without user activation browsing context flag, unless tokens contains the allow-top-navigation keyword.
50            "allow-top-navigation" =>
51                SandboxingFlagSet::SANDBOXED_TOP_LEVEL_NAVIGATION_WITHOUT_USER_ACTIVATION_BROWSING_CONTEXT_FLAG |
52                    SandboxingFlagSet::SANDBOXED_TOP_LEVEL_NAVIGATION_WITH_USER_ACTIVATION_BROWSING_CONTEXT_FLAG |
53                    SandboxingFlagSet::SANBOXED_CUSTOM_PROTOCOLS_NAVIGATION_BROWSING_CONTEXT_FLAG,
54            // The sandboxed top-level navigation with user activation browsing context flag, unless tokens contains either
55            // the allow-top-navigation-by-user-activation keyword or the allow-top-navigation keyword.
56            "allow-top-navigation-by-user-activation" =>
57                SandboxingFlagSet::SANDBOXED_TOP_LEVEL_NAVIGATION_WITH_USER_ACTIVATION_BROWSING_CONTEXT_FLAG,
58            // The sandboxed origin browsing context flag, unless the tokens contains the allow-same-origin keyword.
59            "allow-same-origin" =>
60                SandboxingFlagSet::SANDBOXED_ORIGIN_BROWSING_CONTEXT_FLAG,
61            // The sandboxed forms browsing context flag, unless tokens contains the allow-forms keyword.
62            "allow-forms" =>
63                SandboxingFlagSet::SANDBOXED_FORMS_BROWSING_CONTEXT_FLAG,
64            // The sandboxed pointer lock browsing context flag, unless tokens contains the allow-pointer-lock keyword.
65            "allow-pointer-lock" =>
66                SandboxingFlagSet::SANDBOXED_POINTER_LOCK_BROWSING_CONTEXT_FLAG,
67            // The sandboxed scripts browsing context flag, unless tokens contains the allow-scripts keyword.
68            // The sandboxed automatic features browsing context flag, unless tokens contains the allow-scripts keyword (defined above).
69            "allow-scripts" =>
70                SandboxingFlagSet::SANDBOXED_SCRIPTS_BROWSING_CONTEXT_FLAG |
71                    SandboxingFlagSet::SANDBOXED_AUTOMATIC_FEATURES_BROWSING_CONTEXT_FLAG,
72            // The sandbox propagates to auxiliary browsing contexts flag, unless tokens contains the allow-popups-to-escape-sandbox keyword.
73            "allow-popups-to-escape-sandbox" =>
74                SandboxingFlagSet::SANDBOX_PROPOGATES_TO_AUXILIARY_BROWSING_CONTEXTS_FLAG,
75            // The sandboxed modals flag, unless tokens contains the allow-modals keyword.
76            "allow-modals" =>
77                SandboxingFlagSet::SANDBOXED_MODALS_FLAG,
78            // The sandboxed orientation lock browsing context flag, unless tokens contains the allow-orientation-lock keyword.
79            "allow-orientation-lock" =>
80                SandboxingFlagSet::SANDBOXED_ORIENTATION_LOCK_BROWSING_CONTEXT_FLAG,
81            // The sandboxed presentation browsing context flag, unless tokens contains the allow-presentation keyword.
82            "allow-presentation" =>
83                SandboxingFlagSet::SANDBOXED_PRESENTATION_BROWSING_CONTEXT_FLAG,
84            // The sandboxed downloads browsing context flag, unless tokens contains the allow-downloads keyword.
85            "allow-downloads" => SandboxingFlagSet::SANDBOXED_DOWNLOADS_BROWSING_CONTEXT_FLAG,
86            // The sandboxed custom protocols navigation browsing context flag, unless tokens contains either the
87            // allow-top-navigation-to-custom-protocols keyword, the allow-popups keyword, or the allow-top-navigation keyword.
88            "allow-top-navigation-to-custom-protocols" => SandboxingFlagSet::SANBOXED_CUSTOM_PROTOCOLS_NAVIGATION_BROWSING_CONTEXT_FLAG,
89            _ =>
90                SandboxingFlagSet::empty(),
91        };
92        output.remove(remove);
93    }
94    output
95}