generate Chromium unique key automatically in `build.sh'

3 files changed, 23 insertions, 22 deletions

diff --git a/build.sh b/build.sh
index 0659ed1..66f709c 100755
--- a/build.sh
+++ b/build.sh
@@ -200,19 +200,20 @@ main() {
     GECKO_APPLICATIONS=''
 
     if [ "$BROWSER" = "chromium" ]; then
+	CHROMIUM_KEY="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64)"
+	echo "chromium key is" $CHROMIUM_KEY
+	CHROMIUM_KEY="chromium-key-dummy-file-$CHROMIUM_KEY"
+	CHROMIUM_KEY=$(echo $CHROMIUM_KEY | tr / -);
+	touch $BUILDDIR/$CHROMIUM_KEY
+
 	CHROMIUM_KEY="\n\
-\n\
-    // WARNING!!!\n\
-    // EACH USER SHOULD REPLACE \"key\" WITH A UNIQUE VALUE!!!\n\
-    // OTHERWISE, SECURITY CAN BE TRIVIALLY COMPROMISED!\n\
-    //\n\
-    // A unique key can be generated with:\n\
-    // $ ssh-keygen -f /path/to/new/key.pem -t rsa -b 1024\n\
-    //\n\
-    // Only relevant to users of chrome-based browsers.\n\
-    // Users of Firefox forks are safe.\n\
-\n\
-    \"key\": \"b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcnNhAAAAAwEAAQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAII4Dh7HOA4exwAAAAHc3NoLXJzYQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAADAQABAAAAgEHB5/MhEKMFOs8e1cMJ97ZiWubiUPlWpcqyQmauLUj1nspg3JTBh8AWJEVkaxuFgU5gYCHQmRjC6yUdywyziOEkFA4r/WpX4WmbIe+GQHRHhitLN0dgF8N6/fVNOoa5StTdfZqyl23pVXyepoDNjrJFKyupqPMmpwfH5lGr9RwBAAAAQG76HflB/5j8P2YgIYX6dQT4Ei0SqiIjNVy7jFJUQDKSJg/PYkedE02JZJBJPcMYxEJUxXtMgq+upamNILfkmY0AAABBAP4v0O5dqjy16xDDFzb4DPNAcw5Za9KJaXKVkUuKXMNZOKTR0RC/upjNTmttY980RKdIx5zA25dO8cx563bSDIsAAABBAP0MaOpBiai/eRmLqhlthHODa+Mur6W3uc9PyhWhgDBjLNMR/doaYeyfVKxtIiN3a+HkN++G+vbokRweQv++bhMAAAANdXJ6QGxvY2FsaG9zdAECAwQFBg==\","
+	// WARNING!!!\n\
+	// EACH USER SHOULD REPLACE DUMMY FILE's VALUE WITH A UNIQUE ONE!!!\n\
+	// OTHERWISE, SECURITY CAN BE TRIVIALLY COMPROMISED!\n\
+	// Only relevant to users of chrome-based browsers.\n\
+	// Users of Firefox forks are safe.\n\
+	\"$CHROMIUM_KEY\"\
+"
     else
 	GECKO_APPLICATIONS="\n\
     \"applications\": {\n\
diff --git a/common/signing.js b/common/signing.js
index 2171714..1904bcd 100644
--- a/common/signing.js
+++ b/common/signing.js
@@ -10,7 +10,7 @@
  * IMPORTS_START
  * IMPORT sha256
  * IMPORT browser
- * IMPORT is_chrome
+ * IMPORT is_mozilla
  * IMPORTS_END
  */
 
@@ -30,18 +30,18 @@
  *
  * The secret shared between execution contexts has to be available
  * synchronously. Under Mozilla, this is the extension's per-session id. Under
- * Chromium, this is the key that resides in the manifest.
- *
- * An idea to (under Chromium) instead store the secret in a file fetched
- * synchronously using XMLHttpRequest is being considered.
+ * Chromium, this is a dummy web-accessible-resource name that resides in the
+ * manifest and is supposed to be constructed by each user using a unique value
+ * (this is done automatically by `build.sh').
  */
 
 function get_secret()
 {
-    if (is_chrome)
-	return browser.runtime.getManifest().key.substring(0, 50);
-    else
+    if (is_mozilla)
 	return browser.runtime.getURL("dummy");
+
+    return chrome.runtime.getManifest().web_accessible_resources
+	.map(r => /^chromium-key-dummy-file-(.*)/.exec(r)).filter(r => r)[0][1];
 }
 
 function extract_signed(signature, signed_data)
diff --git a/manifest.json b/manifest.json
index bd963fe..ce2577e 100644
--- a/manifest.json
+++ b/manifest.json
@@ -4,7 +4,7 @@
     "manifest_version": 2,
     "name": "Hachette",
     "short_name": "Hachette",
-    "version": "0.0.1",_CHROMIUM_KEY_
+    "version": "0.0.1",
     "author": "various",
     "description": "Control your \"Web\" browsing.",_GECKO_APPLICATIONS_
     "icons":{
@@ -42,7 +42,7 @@
 	"page": "html/options.html",
 	"open_in_tab": true
     },
-    "web_accessible_resources": [
+    "web_accessible_resources": [_CHROMIUM_KEY_
     ],
     "background": {
 	"persistent": true,