aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-06-30 16:39:53 +0200
committerWojtek Kosior <koszko@koszko.org>2021-06-30 16:39:53 +0200
commit12fd4fc3a01eb9718a60c8d04860c4e797049b26 (patch)
tree1ecbe7483fe79eae04fcdba627193b48b81a5e60
parentc49e3750ffaa7ab9ba5fea9e1f5af1df91e1f829 (diff)
downloadbrowser-extension-12fd4fc3a01eb9718a60c8d04860c4e797049b26.tar.gz
browser-extension-12fd4fc3a01eb9718a60c8d04860c4e797049b26.zip
fix whitelisting under Firefox
-rw-r--r--TODOS.org7
-rw-r--r--background/policy_injector.js45
2 files changed, 35 insertions, 17 deletions
diff --git a/TODOS.org b/TODOS.org
index 13b9207..3db947a 100644
--- a/TODOS.org
+++ b/TODOS.org
@@ -47,12 +47,11 @@ TODO:
(e.g. file:// and ftp://)
- Process HTML files in data: URLs instead of just blocking them
- improve CSP injection for pathological cases like <script> before <head>
-- Fix FF script blocking and whitelisting (FF seems to be by itself repeatedly
- injecting CSP headers that were injected once, this makes it impossible to
- whielist site that was unwhitelisted before; FF also seems to be removing our
- injected script's nonce for no reason 🙁)
DONE:
+- Fix FF script whitelisting (FF seems to be by itself repeatedly -- DONE 2021-06-30
+ injecting CSP headers that were injected once, this made it impossible to
+ whielist site that was unwhitelisted before)
- find out if we can successfully use CSP to block file:// under FF -- DONE 2021-06-30
- come up with own simple DSL to manage imports/exports -- DONE 2021-06-30
- add some mechanism to build the extension -- DONE 2021-06-30
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 4f70aac..eb67963 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -21,33 +21,52 @@
var storage;
var query_best;
-let csp_header_names = {
+const csp_header_names = {
"content-security-policy" : true,
"x-webkit-csp" : true,
"x-content-security-policy" : true
};
-function is_noncsp_header(header)
+const header_name = "content-security-policy";
+
+function is_csp_header(header)
+{
+ return !!csp_header_names[header.name.toLowerCase()];
+}
+
+function is_our_header(header, rule)
{
- return !csp_header_names[header.name.toLowerCase()];
+ return header.value === rule
}
function inject(details)
{
- let url = url_item(details.url);
+ const url = url_item(details.url);
+
+ const [pattern, settings] = query_best(url);
+
+ const nonce = gen_unique(url);
+ const rule = csp_rule(nonce);
- let [pattern, settings] = query_best(url);
+ var headers;
- if (settings !== undefined && settings.allow)
- return {cancel : false};
+ if (settings !== undefined && settings.allow) {
+ /*
+ * Chrome doesn't have the buggy behavior of repeatedly injecting a
+ * header we injected once. Firefox does and we have to remove it there.
+ */
+ if (is_chrome)
+ return {cancel: false};
- let nonce = gen_unique(url);
- let headers = details.responseHeaders.filter(is_noncsp_header);
+ headers = details.responseHeaders.filter(h => !is_our_header(h, rule));
+ } else {
+ headers = details.responseHeaders.filter(h => !is_csp_header(h));
- headers.push({
- name : "content-security-policy",
- value : csp_rule(nonce)
- });
+ headers.push({
+ name : header_name,
+ value : rule
+ });
+ }
return {responseHeaders: headers};
}