summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-05-12 17:25:57 +0200
committerWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-05-12 17:25:57 +0200
commit55fb3e4bd833f042a82657cc75e7e4c657402f9e (patch)
treec5198bfc075d680629850c7e47f45027581d8707
parent9c246cfa2e30c2f7887472084b4ace4ab99b9819 (diff)
downloadbrowser-extension-55fb3e4bd833f042a82657cc75e7e4c657402f9e.tar.gz
browser-extension-55fb3e4bd833f042a82657cc75e7e4c657402f9e.zip
use unique hashes when smuggling whitelist setting
-rw-r--r--TODOS.org3
-rw-r--r--background/background.html5
-rw-r--r--background/policy_smuggler.js11
-rw-r--r--common/gen_unique.js32
-rw-r--r--common/sha256.js (renamed from background/sha256.js)0
-rw-r--r--common/url_item.js (renamed from background/url_item.js)0
-rw-r--r--content/main.js8
-rw-r--r--manifest.json15
8 files changed, 66 insertions, 8 deletions
diff --git a/TODOS.org b/TODOS.org
index 8c8bcaf..48e3717 100644
--- a/TODOS.org
+++ b/TODOS.org
@@ -17,7 +17,7 @@ TODO:
settings and settings for pages that currently happen to
live in iframes
- add some nice styling to settings page
-- use non-predictable value in place of "myext-allow", utilizing hashes -- CRUCIAL
+- find some way not to require each chrome user to modify manifest.json
- rename the extension to something good
- port to gecko-based browsers -- CRUCIAL
- rename "bundles" to "bags" to avoid confusion with Web Bundles
@@ -40,6 +40,7 @@ TODO:
to manage imports/exports
DONE:
+- use non-predictable value in place of "myext-allow", utilizing hashes -- DONE 2021-05-12
- stop using modules (not available on all browsers) -- DONE 2021-05-12
- clean up the remnants of LibreJS -- DONE 2021-05-12
- implement whitelisting -- DONE 2021-05-07
diff --git a/background/background.html b/background/background.html
index d453c47..c6621e2 100644
--- a/background/background.html
+++ b/background/background.html
@@ -10,9 +10,10 @@
<script src="./message_server.js"></script>
<script src="/common/connection_types.js"></script>
<script src="./storage_server.js"></script>
- <script src="./url_item.js"></script>
- <script src="./sha256.js"></script>
+ <script src="/common/url_item.js"></script>
+ <script src="/common/sha256.js"></script>
<script src="./page_actions_server.js"></script>
+ <script src="/common/gen_unique.js"></script>
<script src="./policy_smuggler.js"></script>
<script src="./main.js"></script>
</head>
diff --git a/background/policy_smuggler.js b/background/policy_smuggler.js
index 6d0da38..180dcb7 100644
--- a/background/policy_smuggler.js
+++ b/background/policy_smuggler.js
@@ -15,6 +15,7 @@
const get_storage = window.get_storage;
const browser = window.browser;
const url_item = window.url_item;
+ const gen_unique = window.gen_unique;
var storage;
@@ -26,12 +27,14 @@
let first_target = match[3];
let second_target = match[4];
- if (first_target === "#myext-allow") {
+ let url = url_item(request.url);
+ let unique = gen_unique(url);
+
+ if (first_target === unique) {
console.log(["not redirecting"]);
return {cancel : false};
}
- let url = url_item(request.url);
let settings = storage.get(TYPE_PREFIX.PAGE, url);
console.log("got", storage.get(TYPE_PREFIX.PAGE, url), "for", url);
if (settings === undefined || !settings.allow)
@@ -40,10 +43,10 @@
second_target = (first_target || "") + (second_target || "")
console.log(["redirecting", request.url,
- (base_url + "#myext-allow" + second_target)]);
+ (base_url + unique + second_target)]);
return {
- redirectUrl : (base_url + "#myext-allow" + second_target)
+ redirectUrl : (base_url + unique + second_target)
};
}
diff --git a/common/gen_unique.js b/common/gen_unique.js
new file mode 100644
index 0000000..920426b
--- /dev/null
+++ b/common/gen_unique.js
@@ -0,0 +1,32 @@
+/**
+* Myext generating unique, per-site hash
+*
+* Copyright (C) 2021 Wojtek Kosior
+*
+* Dual-licensed under:
+* - 0BSD license
+* - GPLv3 or (at your option) any later version
+*/
+
+"use strict";
+
+(() => {
+ const sha256 = window.sha256;
+ const browser = window.browser;
+ const is_chrome = window.is_chrome;
+
+ function get_id()
+ {
+ if (is_chrome)
+ return browser.runtime.getManifest().key.substring(0, 50);
+ else
+ return browser.runtime.getURL("dummy");
+ }
+
+ function gen_unique(url)
+ {
+ return "#" + sha256(get_id() + url);
+ }
+
+ window.gen_unique = gen_unique;
+})();
diff --git a/background/sha256.js b/common/sha256.js
index 271ec87..271ec87 100644
--- a/background/sha256.js
+++ b/common/sha256.js
diff --git a/background/url_item.js b/common/url_item.js
index 7850871..7850871 100644
--- a/background/url_item.js
+++ b/common/url_item.js
diff --git a/content/main.js b/content/main.js
index 282c7b5..c7f57bb 100644
--- a/content/main.js
+++ b/content/main.js
@@ -12,6 +12,8 @@
(() => {
const handle_page_actions = window.handle_page_actions;
+ const url_item = window.url_item;
+ const gen_unique = window.gen_unique;
var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;
var match = url_re.exec(document.URL);
@@ -19,9 +21,13 @@
var first_target = match[3];
var second_target = match[4];
+ // TODO: can be refactored *a little bit* with policy_smuggler.js
+ let url = url_item(document.URL);
+ let unique = gen_unique(url);
+
var block = true;
if (first_target !== undefined &&
- first_target === "#myext-allow") {
+ first_target === unique) {
block = false;
console.log(["allowing", document.URL]);
if (second_target !== undefined)
diff --git a/manifest.json b/manifest.json
index 85dde71..efdcba0 100644
--- a/manifest.json
+++ b/manifest.json
@@ -3,6 +3,18 @@
"name": "My extension",
"short_name": "Myext",
"version": "0.0.0",
+ /*
+ WARNING!!!
+ EACH USER SHOULD REPLACE "key" WITH UNIQUE VALUE!!!
+ OTHERWISE SECURITY CAN BE TRIVIALLY COMPROMISED!
+
+ A unique key can be generated with:
+ $ ssh-keygen -f /path/to/new/key.pem -t rsa -b 1024
+
+ Only relevant to users of chrome-based browsers.
+ Users of FireFox forks are safe.
+ */
+ "key": "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcnNhAAAAAwEAAQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAII4Dh7HOA4exwAAAAHc3NoLXJzYQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAADAQABAAAAgEHB5/MhEKMFOs8e1cMJ97ZiWubiUPlWpcqyQmauLUj1nspg3JTBh8AWJEVkaxuFgU5gYCHQmRjC6yUdywyziOEkFA4r/WpX4WmbIe+GQHRHhitLN0dgF8N6/fVNOoa5StTdfZqyl23pVXyepoDNjrJFKyupqPMmpwfH5lGr9RwBAAAAQG76HflB/5j8P2YgIYX6dQT4Ei0SqiIjNVy7jFJUQDKSJg/PYkedE02JZJBJPcMYxEJUxXtMgq+upamNILfkmY0AAABBAP4v0O5dqjy16xDDFzb4DPNAcw5Za9KJaXKVkUuKXMNZOKTR0RC/upjNTmttY980RKdIx5zA25dO8cx563bSDIsAAABBAP0MaOpBiai/eRmLqhlthHODa+Mur6W3uc9PyhWhgDBjLNMR/doaYeyfVKxtIiN3a+HkN++G+vbokRweQv++bhMAAAANdXJ6QGxvY2FsaG9zdAECAwQFBg==",
"author": "various",
"description": "Kill the web&js",
"applications": {
@@ -52,6 +64,9 @@
"common/browser.js",
"common/connection_types.js",
"content/page_actions.js",
+ "common/url_item.js",
+ "common/sha256.js",
+ "common/gen_unique.js",
"content/main.js"
]
}