LibWeb+LibWebView+WebContent: Add APIs to manage an autoplay allowlist

The spec defines a Permissions Policy to control some browser behaviors
on a per-origin basis. Management of these permissions live in their own
spec: https://w3c.github.io/webappsec-permissions-policy/

This implements a somewhat ad-hoc Permissions Policy for autoplaying
media elements. We will need to implement the entire policy spec for
this to be more general.

Userland/Libraries/LibWeb/CMakeLists.txt

@@ -453,6 +453,7 @@ set(SOURCES
     Painting/VideoPaintable.cpp
     PerformanceTimeline/EntryTypes.cpp
     PerformanceTimeline/PerformanceEntry.cpp
+    PermissionsPolicy/AutoplayAllowlist.cpp
     Platform/EventLoopPlugin.cpp
     Platform/EventLoopPluginSerenity.cpp
     Platform/FontPlugin.cpp

Userland/Libraries/LibWeb/DOM/Document.cpp

@@ -72,6 +72,7 @@
 #include <LibWeb/Layout/Viewport.h>
 #include <LibWeb/Namespace.h>
 #include <LibWeb/Page/Page.h>
+#include <LibWeb/PermissionsPolicy/AutoplayAllowlist.h>
 #include <LibWeb/Platform/Timer.h>
 #include <LibWeb/SVG/TagNames.h>
 #include <LibWeb/Selection/Selection.h>
@@ -2398,6 +2399,31 @@ void Document::unload(bool recursive_flag, Optional<DocumentUnloadTimingInfo> un
     m_unload_counter -= 1;
 }
 
+// https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use
+bool Document::is_allowed_to_use_feature(PolicyControlledFeature feature) const
+{
+    // 1. If document's browsing context is null, then return false.
+    if (browsing_context() == nullptr)
+        return false;
+
+    // 2. If document is not fully active, then return false.
+    if (!is_fully_active())
+        return false;
+
+    // 3. If the result of running is feature enabled in document for origin on feature, document, and document's origin
+    //    is "Enabled", then return true.
+    // FIXME: This is ad-hoc. Implement the Permissions Policy specification.
+    switch (feature) {
+    case PolicyControlledFeature::Autoplay:
+        if (PermissionsPolicy::AutoplayAllowlist::the().is_allowed_for_origin(*this, origin()) == PermissionsPolicy::Decision::Enabled)
+            return true;
+        break;
+    }
+
+    // 4. Return false.
+    return false;
+}
+
 void Document::did_stop_being_active_document_in_browsing_context(Badge<HTML::BrowsingContext>)
 {
     tear_down_layout_tree();

Userland/Libraries/LibWeb/DOM/Document.h

@@ -74,6 +74,10 @@ struct ElementCreationOptions {
     DeprecatedString is;
 };
 
+enum class PolicyControlledFeature {
+    Autoplay,
+};
+
 class Document
     : public ParentNode
     , public NonElementParentNode<Document>
@@ -456,6 +460,8 @@ public:
     DocumentUnloadTimingInfo const& previous_document_unload_timing() const { return m_previous_document_unload_timing; }
     void set_previous_document_unload_timing(DocumentUnloadTimingInfo const& previous_document_unload_timing) { m_previous_document_unload_timing = previous_document_unload_timing; }
 
+    bool is_allowed_to_use_feature(PolicyControlledFeature) const;
+
     void did_stop_being_active_document_in_browsing_context(Badge<HTML::BrowsingContext>);
 
     bool query_command_supported(DeprecatedString const&) const;

Userland/Libraries/LibWeb/Forward.h

@@ -475,6 +475,10 @@ namespace Web::PerformanceTimeline {
 class PerformanceEntry;
 }
 
+namespace Web::PermissionsPolicy {
+class AutoplayAllowlist;
+}
+
 namespace Web::Platform {
 class Timer;
 }

Userland/Libraries/LibWeb/PermissionsPolicy/AutoplayAllowlist.cpp

@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2023, Tim Flynn <trflynn89@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <AK/String.h>
+#include <AK/URL.h>
+#include <LibWeb/DOM/Document.h>
+#include <LibWeb/HTML/Origin.h>
+#include <LibWeb/PermissionsPolicy/AutoplayAllowlist.h>
+#include <LibWeb/URL/URL.h>
+
+// FIXME: This is an ad-hoc implementation of the "autoplay" policy-controlled feature:
+// https://w3c.github.io/webappsec-permissions-policy/#policy-controlled-feature
+
+namespace Web::PermissionsPolicy {
+
+AutoplayAllowlist& AutoplayAllowlist::the()
+{
+    static AutoplayAllowlist filter;
+    return filter;
+}
+
+AutoplayAllowlist::AutoplayAllowlist() = default;
+AutoplayAllowlist::~AutoplayAllowlist() = default;
+
+// https://w3c.github.io/webappsec-permissions-policy/#is-feature-enabled
+Decision AutoplayAllowlist::is_allowed_for_origin(DOM::Document const& document, HTML::Origin const& origin) const
+{
+    // FIXME: 1. Let policy be document’s Permissions Policy
+    // FIXME: 2. If policy’s inherited policy for feature is Disabled, return "Disabled".
+
+    // 3. If feature is present in policy’s declared policy:
+    if (m_allowlist.has_value()) {
+        // 1. If the allowlist for feature in policy’s declared policy matches origin, then return "Enabled".
+        // 2. Otherwise return "Disabled".
+        return m_allowlist->visit(
+            [](Global) {
+                return Decision::Enabled;
+            },
+            [&](auto const& patterns) {
+                for (auto const& pattern : patterns) {
+                    if (pattern.is_same_origin_domain(origin))
+                        return Decision::Enabled;
+                }
+
+                return Decision::Disabled;
+            });
+    }
+
+    // 4. If feature’s default allowlist is *, return "Enabled".
+    // 5. If feature’s default allowlist is 'self', and origin is same origin with document’s origin, return "Enabled".
+    // NOTE: The "autoplay" feature's default allowlist is 'self'.
+    //       https://html.spec.whatwg.org/multipage/infrastructure.html#autoplay-feature
+    if (origin.is_same_origin(document.origin()))
+        return Decision::Enabled;
+
+    // 6. Return "Disabled".
+    return Decision::Disabled;
+}
+
+void AutoplayAllowlist::enable_globally()
+{
+    m_allowlist = Global {};
+}
+
+ErrorOr<void> AutoplayAllowlist::enable_for_origins(ReadonlySpan<String> origins)
+{
+    m_allowlist = Patterns {};
+
+    auto& allowlist = m_allowlist->get<Patterns>();
+    TRY(allowlist.try_ensure_capacity(origins.size()));
+
+    for (auto const& origin : origins) {
+        AK::URL url { origin };
+
+        if (!url.is_valid())
+            url = TRY(String::formatted("https://{}", origin));
+        if (!url.is_valid()) {
+            dbgln("Invalid origin for autoplay allowlist: {}", origin);
+            continue;
+        }
+
+        TRY(allowlist.try_append(URL::url_origin(url)));
+    }
+
+    return {};
+}
+
+}

Userland/Libraries/LibWeb/PermissionsPolicy/AutoplayAllowlist.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2023, Tim Flynn <trflynn89@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/Forward.h>
+#include <AK/Variant.h>
+#include <AK/Vector.h>
+#include <LibWeb/Forward.h>
+#include <LibWeb/PermissionsPolicy/Decision.h>
+
+namespace Web::PermissionsPolicy {
+
+class AutoplayAllowlist {
+public:
+    static AutoplayAllowlist& the();
+
+    Decision is_allowed_for_origin(DOM::Document const&, HTML::Origin const&) const;
+
+    void enable_globally();
+    ErrorOr<void> enable_for_origins(ReadonlySpan<String>);
+
+private:
+    AutoplayAllowlist();
+    ~AutoplayAllowlist();
+
+    using Patterns = Vector<HTML::Origin>;
+    struct Global { };
+
+    Optional<Variant<Patterns, Global>> m_allowlist;
+};
+
+}

Userland/Libraries/LibWeb/PermissionsPolicy/Decision.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2023, Tim Flynn <trflynn89@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+namespace Web::PermissionsPolicy {
+
+enum class Decision {
+    Enabled,
+    Disabled,
+};
+
+}

Userland/Libraries/LibWebView/OutOfProcessWebView.cpp

@@ -600,6 +600,16 @@ void OutOfProcessWebView::set_content_filters(Vector<DeprecatedString> filters)
     client().async_set_content_filters(filters);
 }
 
+void OutOfProcessWebView::set_autoplay_allowed_on_all_websites()
+{
+    client().async_set_autoplay_allowed_on_all_websites();
+}
+
+void OutOfProcessWebView::set_autoplay_allowlist(Vector<String> allowlist)
+{
+    client().async_set_autoplay_allowlist(move(allowlist));
+}
+
 void OutOfProcessWebView::set_proxy_mappings(Vector<DeprecatedString> proxies, HashMap<DeprecatedString, size_t> mappings)
 {
     client().async_set_proxy_mappings(move(proxies), move(mappings));

Userland/Libraries/LibWebView/OutOfProcessWebView.h

@@ -43,6 +43,8 @@ public:
     OrderedHashMap<DeprecatedString, DeprecatedString> get_session_storage_entries();
 
     void set_content_filters(Vector<DeprecatedString>);
+    void set_autoplay_allowed_on_all_websites();
+    void set_autoplay_allowlist(Vector<String>);
     void set_proxy_mappings(Vector<DeprecatedString> proxies, HashMap<DeprecatedString, size_t> mappings);
     void connect_to_webdriver(DeprecatedString const& webdriver_ipc_path);
 

Userland/Services/WebContent/ConnectionFromClient.cpp

@@ -30,6 +30,7 @@
 #include <LibWeb/Loader/ResourceLoader.h>
 #include <LibWeb/Painting/PaintableBox.h>
 #include <LibWeb/Painting/StackingContext.h>
+#include <LibWeb/PermissionsPolicy/AutoplayAllowlist.h>
 #include <LibWeb/Platform/EventLoopPlugin.h>
 #include <WebContent/ConnectionFromClient.h>
 #include <WebContent/PageHost.h>
@@ -639,6 +640,18 @@ void ConnectionFromClient::set_content_filters(Vector<DeprecatedString> const& f
         Web::ContentFilter::the().add_pattern(filter);
 }
 
+void ConnectionFromClient::set_autoplay_allowed_on_all_websites()
+{
+    auto& autoplay_allowlist = Web::PermissionsPolicy::AutoplayAllowlist::the();
+    autoplay_allowlist.enable_globally();
+}
+
+void ConnectionFromClient::set_autoplay_allowlist(Vector<String> const& allowlist)
+{
+    auto& autoplay_allowlist = Web::PermissionsPolicy::AutoplayAllowlist::the();
+    autoplay_allowlist.enable_for_origins(allowlist).release_value_but_fixme_should_propagate_errors();
+}
+
 void ConnectionFromClient::set_proxy_mappings(Vector<DeprecatedString> const& proxies, HashMap<DeprecatedString, size_t> const& mappings)
 {
     auto keys = mappings.keys();

Userland/Services/WebContent/ConnectionFromClient.h

@@ -75,6 +75,8 @@ private:
     virtual Messages::WebContentServer::GetHoveredNodeIdResponse get_hovered_node_id() override;
     virtual Messages::WebContentServer::DumpLayoutTreeResponse dump_layout_tree() override;
     virtual void set_content_filters(Vector<DeprecatedString> const&) override;
+    virtual void set_autoplay_allowed_on_all_websites() override;
+    virtual void set_autoplay_allowlist(Vector<String> const& allowlist) override;
     virtual void set_proxy_mappings(Vector<DeprecatedString> const&, HashMap<DeprecatedString, size_t> const&) override;
     virtual void set_preferred_color_scheme(Web::CSS::PreferredColorScheme const&) override;
     virtual void set_has_focus(bool) override;

Userland/Services/WebContent/WebContentServer.ipc

@@ -55,6 +55,8 @@ endpoint WebContentServer
     select_all() =|
 
     set_content_filters(Vector<DeprecatedString> filters) =|
+    set_autoplay_allowed_on_all_websites() =|
+    set_autoplay_allowlist(Vector<String> allowlist) =|
     set_proxy_mappings(Vector<DeprecatedString> proxies, HashMap<DeprecatedString,size_t> mappings) =|
     set_preferred_color_scheme(Web::CSS::PreferredColorScheme color_scheme) =|
     set_has_focus(bool has_focus) =|