summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-07-28 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-07-28 00:00:00 +0000
commit25817b68c03b25c9b4fcaba2b96ab65f2edfd63c (patch)
treea71d9265f0a1bf3c43b3c1f1472c43c35dcb7386
parent5fcc980828047e966c24fde8a80e7f819a457e36 (diff)
downloadbrowser-extension-25817b68c03b25c9b4fcaba2b96ab65f2edfd63c.tar.gz
browser-extension-25817b68c03b25c9b4fcaba2b96ab65f2edfd63c.zip
Rationalize CSP violation report blocking.
Report blocking now applies iff scripts are blocked.
-rw-r--r--background/policy_injector.js76
1 files changed, 37 insertions, 39 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 386cf22..f573d48 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -83,13 +83,15 @@ function process_csp_header(header, rule, block)
{
const csp = parse_csp(header.value);
- /* No snitching */
- delete csp['report-to'];
- delete csp['report-uri'];
if (block) {
+ /* No snitching */
+ delete csp['report-to'];
+ delete csp['report-uri'];
+
delete csp['script-src'];
delete csp['script-src-elem'];
+
csp['script-src-attr'] = ["'none'"];
csp['prefetch-src'] = ["'none'"];
}
@@ -127,45 +129,41 @@ function headers_inject(details)
for (const header of details.responseHeaders) {
if (!csp_header_names.has(header)) {
- /* Retain all non-snitching headers */
- if (header.name.toLowerCase() !== report_only) {
- headers.push(header);
-
- /* If these are the original CSP headers, use them instead */
- /* Test based on url_extract_target() in misc.js */
- if (is_mozilla && header.name === "x-orig-csp") {
- let index = header.value.indexOf('%5B');
- if (index === -1)
- continue;
-
- let sig = header.value.substring(0, index);
- let data = header.value.substring(index);
- if (sig !== sign_policy(data, 0))
- continue;
-
- /* Confirmed- it's the originals, smuggled in! */
- try {
- data = JSON.parse(decodeURIComponent(data));
- } catch (e) {
- /* This should not be reached -
- it's our self-produced valid JSON. */
- console.log("Unexpected internal error - invalid JSON smuggled!", e);
- }
-
- orig_csp_headers = csp_headers = null;
- for (const header of data)
- headers.push(process_csp_header(header, rule, block));
+ /* Remove headers that only snitch on us */
+ if (header.name.toLowerCase() === report_only && block)
+ continue;
+ headers.push(header);
+
+ /* If these are the original CSP headers, use them instead */
+ /* Test based on url_extract_target() in misc.js */
+ if (is_mozilla && header.name === "x-orig-csp") {
+ let index = header.value.indexOf('%5B');
+ if (index === -1)
+ continue;
+
+ let sig = header.value.substring(0, index);
+ let data = header.value.substring(index);
+ if (sig !== sign_policy(data, 0))
+ continue;
+
+ /* Confirmed- it's the originals, smuggled in! */
+ try {
+ data = JSON.parse(decodeURIComponent(data));
+ } catch (e) {
+ /* This should not be reached -
+ it's our self-produced valid JSON. */
+ console.log("Unexpected internal error - invalid JSON smuggled!", e);
}
- }
- continue;
+ orig_csp_headers = csp_headers = null;
+ for (const header of data)
+ headers.push(process_csp_header(header, rule, block));
+ }
+ } else if (is_chrome || !orig_csp_headers) {
+ csp_headers.push(process_csp_header(header, rule, block));
+ if (is_mozilla)
+ orig_csp_headers.push(header);
}
- if (is_mozilla && !orig_csp_headers)
- continue;
-
- csp_headers.push(process_csp_header(header, rule, block));
- if (is_mozilla)
- orig_csp_headers.push(header);
}
if (orig_csp_headers) {