[UNTESTED- will test] Add filtering for http-equiv CSP headers

author: jahoti <jahoti@tilde.team> 2021-08-02 00:00:00 +0000
committer: jahoti <jahoti@tilde.team> 2021-08-02 00:00:00 +0000
commit: 5b419aedd564e6506aa2fc8bddcaa5d601888f17 (patch)
tree: 494d1f7fa1f9600451553d5aaaa68ba28c96d250
parent: 25817b68c03b25c9b4fcaba2b96ab65f2edfd63c (diff)
download: browser-extension-5b419aedd564e6506aa2fc8bddcaa5d601888f17.tar.gz
browser-extension-5b419aedd564e6506aa2fc8bddcaa5d601888f17.zip
3 files changed, 57 insertions, 46 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index f573d48..80a0e3b 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -19,7 +19,7 @@
  * IMPORT url_extract_target
  * IMPORT sign_policy
  * IMPORT get_query_best
- * IMPORT parse_csp
+ * IMPORT sanitize_csp_header
  * IMPORTS_END
  */
 
@@ -79,40 +79,6 @@ function url_inject(details)
     };
 }
 
-function process_csp_header(header, rule, block)
-{
-    const csp = parse_csp(header.value);
-
-
-    if (block) {
-	/* No snitching */
-	delete csp['report-to'];
-	delete csp['report-uri'];
-	
-	delete csp['script-src'];
-	delete csp['script-src-elem'];
-
-	csp['script-src-attr'] = ["'none'"];
-	csp['prefetch-src'] = ["'none'"];
-    }
-
-    if ('script-src' in csp)
-	csp['script-src'].push(rule);
-    else
-	csp['script-src'] = [rule];
-
-    if ('script-src-elem' in csp)
-	csp['script-src-elem'].push(rule);
-    else
-	csp['script-src-elem'] = [rule];
-
-    const new_policy = Object.entries(csp).map(
-	i => `${i[0]} ${i[1].join(' ')};`
-    );
-
-    return {name: header.name, value: new_policy.join('')};
-}
-
 function headers_inject(details)
 {
     const targets = url_extract_target(details.url);
@@ -157,10 +123,10 @@ function headers_inject(details)
 
 		orig_csp_headers = csp_headers = null;
 		for (const header of data)
-		    headers.push(process_csp_header(header, rule, block));
+		    headers.push(sanitize_csp_header(header, rule, block));
 	    }
 	} else if (is_chrome || !orig_csp_headers) {
-	    csp_headers.push(process_csp_header(header, rule, block));
+	    csp_headers.push(sanitize_csp_header(header, rule, block));
 	    if (is_mozilla)
 		orig_csp_headers.push(header);
 	}
diff --git a/common/misc.js b/common/misc.js
index 0d8466e..d046b65 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -173,6 +173,40 @@ function parse_csp(csp) {
     return directives;
 }
 
+/* Make CSP headers do our bidding, not interfere */
+function sanitize_csp_header(header, rule, block)
+{
+    const csp = parse_csp(header.value);
+
+    if (block) {
+	/* No snitching */
+	delete csp['report-to'];
+	delete csp['report-uri'];
+	
+	delete csp['script-src'];
+	delete csp['script-src-elem'];
+
+	csp['script-src-attr'] = ["'none'"];
+	csp['prefetch-src'] = ["'none'"];
+    }
+
+    if ('script-src' in csp)
+	csp['script-src'].push(rule);
+    else
+	csp['script-src'] = [rule];
+
+    if ('script-src-elem' in csp)
+	csp['script-src-elem'].push(rule);
+    else
+	csp['script-src-elem'] = [rule];
+
+    const new_policy = Object.entries(csp).map(
+	i => `${i[0]} ${i[1].join(' ')};`
+    );
+
+    return {name: header.name, value: new_policy.join('')};
+}
+
 /*
  * EXPORTS_START
  * EXPORT gen_nonce
@@ -184,6 +218,6 @@ function parse_csp(csp) {
  * EXPORT nice_name
  * EXPORT open_in_settings
  * EXPORT is_privileged_url
- * EXPORT parse_csp
+ * EXPORT sanitize_csp_header
  * EXPORTS_END
  */
diff --git a/content/main.js b/content/main.js
index 9ed557c..5edb8a6 100644
--- a/content/main.js
+++ b/content/main.js
@@ -19,6 +19,7 @@
  * IMPORT is_chrome
  * IMPORT is_mozilla
  * IMPORT start_activity_info_server
+ * IMPORT sanitize_csp_header
  * IMPORTS_END
  */
 
@@ -65,6 +66,17 @@ function block_node(node)
 	block_script(node);
 	return;
     }
+    
+    else if (node.tagName === 'META' &&
+	node.getAttribute('http-equiv') === 'content-security-policy') {
+	
+	node.content = sanitize_csp_header(
+	    {value: node.content},
+	    `'nonce-${nonce}'`,
+	    !policy.allow
+	).value;
+	return;
+    }
 
     sanitize_attributes(node);
 
@@ -114,14 +126,13 @@ if (!is_privileged_url(document.URL)) {
     if (!policy.allow) {
 	block_nodes_recursively(document.documentElement);
 
-	if (is_chrome) {
-	    var observer = new MutationObserver(handle_mutation);
-	    observer.observe(document.documentElement, {
-		attributes: true,
-		childList: true,
-		subtree: true
-	    });
-	}
+	/* Now needed on Mozilla as well to sanitize CSP header */
+	var observer = new MutationObserver(handle_mutation);
+	observer.observe(document.documentElement, {
+	    attributes: true,
+	    childList: true,
+	    subtree: true
+	});
 
 	if (is_mozilla)
 	    addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);
author	jahoti <jahoti@tilde.team>	2021-08-02 00:00:00 +0000
committer	jahoti <jahoti@tilde.team>	2021-08-02 00:00:00 +0000
commit	5b419aedd564e6506aa2fc8bddcaa5d601888f17 (patch)
tree	494d1f7fa1f9600451553d5aaaa68ba28c96d250
parent	25817b68c03b25c9b4fcaba2b96ab65f2edfd63c (diff)
download	browser-extension-5b419aedd564e6506aa2fc8bddcaa5d601888f17.tar.gz browser-extension-5b419aedd564e6506aa2fc8bddcaa5d601888f17.zip