[epiphany/pgriffis/web-extension/csp] WebExtensions: Properly set the Content-Security-Policy

[Patrick Griffis <pgriffis src gnome org>]

commit bb35f90e4f78cd300ecca03d75a4f8a191f813d6
Author: Patrick Griffis <pgriffis igalia com>
Date:   Tue Jun 21 18:57:32 2022 -0500

    WebExtensions: Properly set the Content-Security-Policy
    
    Fixes #1777

 meson.build                                   | 18 ++++++++++++++++--
 src/webextension/ephy-web-extension-manager.c |  6 ++++++
 src/webextension/ephy-web-extension.c         | 11 +++++++++++
 src/webextension/ephy-web-extension.h         |  2 ++
 4 files changed, 35 insertions(+), 2 deletions(-)
---
diff --git a/meson.build b/meson.build
index 0f2db8e36..53c0f397b 100644
--- a/meson.build
+++ b/meson.build
@@ -9,6 +9,8 @@ project('epiphany', 'c',
 gnome = import('gnome')
 i18n = import('i18n')
 
+cc = meson.get_compiler('c')
+
 r = run_command('grep', '-Po', '^NAME=\K.*', '/etc/os-release')
 if r.returncode() == 0
   distributor_name = r.stdout().strip()
@@ -111,6 +113,20 @@ elif webkit_revision != ''
 endif
 conf.set_quoted('WEBKIT_REVISION', webkit_revision)
 
+conf.set(
+  'HAVE_WEBKIT_DEFAULT_CONTENT_SECURITY_POLICY',
+  cc.has_function('webkit_web_view_get_default_content_security_policy',
+    dependencies: webkit2gtk_dep
+  )
+)
+
+conf.set(
+  'HAVE_WEBKIT_EXTENSION_MODE',
+  cc.has_function('webkit_web_view_get_web_extension_mode',
+    dependencies: webkit2gtk_dep
+  )
+)
+
 config_h = declare_dependency(
   sources: vcs_tag(
     input: configure_file(
@@ -121,8 +137,6 @@ config_h = declare_dependency(
   )
 )
 
-cc = meson.get_compiler('c')
-
 mini_gmp_test = '''
 #include <nettle/bignum.h>
 
diff --git a/src/webextension/ephy-web-extension-manager.c b/src/webextension/ephy-web-extension-manager.c
index b02b14695..e2009b3c5 100644
--- a/src/webextension/ephy-web-extension-manager.c
+++ b/src/webextension/ephy-web-extension-manager.c
@@ -881,6 +881,12 @@ ephy_web_extensions_manager_create_web_extensions_webview (EphyWebExtension *web
                            "user-content-manager", ucm,
                            "settings", ephy_embed_prefs_get_settings (),
                            "related-view", ephy_web_extension_manager_get_background_web_view (manager, 
web_extension),
+#ifdef HAVE_WEBKIT_DEFAULT_CONTENT_SECURITY_POLICY
+                           "default-content-security-policy", ephy_web_extension_get_content_security_policy 
(web_extension),
+#endif
+#ifdef HAVE_WEBKIT_EXTENSION_MODE
+                           "HAVE_WEBKIT_EXTENSION_MODE", WEBKIT_WEB_EXTENSION_MODE_MANIFESTV2,
+#endif
                            NULL);
 
   webkit_web_view_set_cors_allowlist (WEBKIT_WEB_VIEW (web_view), ephy_web_extension_get_host_permissions 
(web_extension));
diff --git a/src/webextension/ephy-web-extension.c b/src/webextension/ephy-web-extension.c
index 46169ee98..ec0065254 100644
--- a/src/webextension/ephy-web-extension.c
+++ b/src/webextension/ephy-web-extension.c
@@ -99,6 +99,7 @@ struct _EphyWebExtension {
   char *name;
   char *version;
   char *homepage_url;
+  char *content_security_policy;
   GList *icons;
   GList *content_scripts;
   WebExtensionBackground *background;
@@ -373,6 +374,12 @@ ephy_web_extension_get_author (EphyWebExtension *self)
   return self->author;
 }
 
+const char *
+ephy_web_extension_get_content_security_policy (EphyWebExtension *self)
+{
+  return self->content_security_policy;
+}
+
 const char *
 ephy_web_extension_get_manifest (EphyWebExtension *self)
 {
@@ -762,6 +769,7 @@ ephy_web_extension_dispose (GObject *object)
   g_clear_pointer (&self->version, g_free);
   g_clear_pointer (&self->homepage_url, g_free);
   g_clear_pointer (&self->local_storage_path, g_free);
+  g_clear_pointer (&self->content_security_policy, g_free);
 
   g_clear_list (&self->icons, (GDestroyNotify)web_extension_icon_free);
   g_clear_list (&self->content_scripts, (GDestroyNotify)web_extension_content_script_free);
@@ -967,6 +975,9 @@ ephy_web_extension_load (GFile *target)
   self->homepage_url = ephy_web_extension_manifest_get_key (self, root_object, "homepage_url");
   self->author = ephy_web_extension_manifest_get_key (self, root_object, "author");
 
+  /* Default matches Firefox: 
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#default_content_security_policy
 */
+  self->content_security_policy = g_strdup (json_object_get_string_member_with_default (root_object, 
"content_security_policy", "script-src 'self'; object-src 'self';"));
+
   self->local_storage_path = g_build_filename (ephy_config_dir (), "web_extensions",
                                                g_path_get_basename (self->base_location), 
"local-storage.json", NULL);
 
diff --git a/src/webextension/ephy-web-extension.h b/src/webextension/ephy-web-extension.h
index 2b332b7a8..d3e1b6c30 100644
--- a/src/webextension/ephy-web-extension.h
+++ b/src/webextension/ephy-web-extension.h
@@ -80,6 +80,8 @@ const char            *ephy_web_extension_get_homepage_url                (EphyW
 
 const char            *ephy_web_extension_get_author                      (EphyWebExtension *self);
 
+const char            *ephy_web_extension_get_content_security_policy     (EphyWebExtension *self);
+
 GList                 *ephy_web_extensions_get                            (void);
 
 EphyWebExtension      *ephy_web_extension_load                            (GFile *file);