From 5e693821899b30aa4fd4da0bf3aeec0c46e167cf Mon Sep 17 00:00:00 2001
From: Michael Howell <michael@notriddle.com>
Date: Wed, 16 Mar 2022 17:34:11 -0700
Subject: [PATCH] Allow getting the document's sandboxing flag set

---
 src/lib.rs       | 25 +++++++++++++++++++++++++
 tests/sandbox.rs | 17 +++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/src/lib.rs b/src/lib.rs
index abf6212..e744585 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -308,6 +308,17 @@ impl CspList {
         }
         return (Allowed, violations);
     }
+    pub fn get_sandboxing_flag_set_for_document(&self) -> Option<SandboxingFlagSet> {
+        self.0
+            .iter()
+            .flat_map(|policy| {
+                policy.directive_set
+                    .iter()
+                    .find(|directive| directive.name == "sandbox")
+                    .and_then(|directive| directive.get_sandboxing_flag_set_for_document(policy))
+            })
+            .next()
+    }
 }
 
 #[derive(Clone, Debug)]
@@ -934,6 +945,20 @@ impl Directive {
             _ => Allowed
         }
     }
+    /// https://www.w3.org/TR/CSP/#sandbox-init
+    pub fn get_sandboxing_flag_set_for_document(&self, policy: &Policy) -> Option<SandboxingFlagSet> {
+        use PolicyDisposition::*;
+        match &self.name[..] {
+            "sandbox" => {
+                if policy.disposition != Enforce {
+                    None
+                } else {
+                    Some(parse_a_sandboxing_directive(&self.value[..]))
+                }
+            },
+            _ => None,
+        }
+    }
 }
 
 /// https://www.w3.org/TR/CSP/#effective-directive-for-inline-check
diff --git a/tests/sandbox.rs b/tests/sandbox.rs
index c6afa66..60874d7 100644
--- a/tests/sandbox.rs
+++ b/tests/sandbox.rs
@@ -1,5 +1,6 @@
 extern crate content_security_policy;
 use content_security_policy::*;
+use content_security_policy::sandboxing_directive::SandboxingFlagSet;
 #[test]
 fn sandbox_test_block() {
     let csp_list = CspList::parse("sandbox", PolicySource::Header, PolicyDisposition::Enforce);
@@ -89,3 +90,19 @@ fn sandbox_test_allow_images() {
     );
     assert_eq!(check_result, CheckResult::Allowed);
 }
+
+#[test]
+fn sandbox_document_flags() {
+    let policy = CspList::parse("sandbox", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all()), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-popups", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-forms", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_FORMS_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox; connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all()), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("sandbox allow-popups; connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(Some(SandboxingFlagSet::all() ^ SandboxingFlagSet::SANDBOXED_AUXILIARY_NAVIGATION_BROWSING_CONTEXT_FLAG), policy.get_sandboxing_flag_set_for_document());
+    let policy = CspList::parse("connect-src https://*.notriddle.com:443", PolicySource::Header, PolicyDisposition::Enforce);
+    assert_eq!(None, policy.get_sandboxing_flag_set_for_document());
+}
\ No newline at end of file