diff options
author | Wojtek Kosior <wk@koszkonutek-tmp.pl.eu.org> | 2021-06-18 11:45:01 +0200 |
---|---|---|
committer | Wojtek Kosior <wk@koszkonutek-tmp.pl.eu.org> | 2021-06-18 11:45:01 +0200 |
commit | 7ee7889ae8f1473474254553ec3b3469fb0a935b (patch) | |
tree | 153fe596bc65600e21d856f97231f8195f79b9ec /background | |
parent | 6bae771df7b238f8ef4e992660e911fb5808299c (diff) | |
download | browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.tar.gz browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.zip |
when possible inject CSP as http(s) header using webRequest instead of adding a <meta> tag
Diffstat (limited to 'background')
-rw-r--r-- | background/background.html | 2 | ||||
-rw-r--r-- | background/main.js | 4 | ||||
-rw-r--r-- | background/policy_injector.js | 93 |
3 files changed, 96 insertions, 3 deletions
diff --git a/background/background.html b/background/background.html index b3e8010..53a74e9 100644 --- a/background/background.html +++ b/background/background.html @@ -37,7 +37,7 @@ <script src="./settings_query.js"></script> <script src="./page_actions_server.js"></script> <script src="/common/gen_unique.js"></script> - <script src="./policy_smuggler.js"></script> + <script src="./policy_injector.js"></script> <script src="./main.js"></script> </head> </html> diff --git a/background/main.js b/background/main.js index 4af7aa0..2f35321 100644 --- a/background/main.js +++ b/background/main.js @@ -30,12 +30,12 @@ const get_storage = window.get_storage; const start_storage_server = window.start_storage_server; const start_page_actions_server = window.start_page_actions_server; - const start_policy_smuggler = window.start_policy_smuggler; + const start_policy_injector = window.start_policy_injector; const browser = window.browser; start_storage_server(); start_page_actions_server(); - start_policy_smuggler(); + start_policy_injector(); async function init_myext(install_details) { diff --git a/background/policy_injector.js b/background/policy_injector.js new file mode 100644 index 0000000..e2d6358 --- /dev/null +++ b/background/policy_injector.js @@ -0,0 +1,93 @@ +/** + * Myext injecting policy to page using webRequest + * + * Copyright (C) 2021 Wojtek Kosior + * + * This code is dual-licensed under: + * - Asshole license 1.0, + * - GPLv3 or (at your option) any later version + * + * "dual-licensed" means you can choose the license you prefer. + * + * This code is released under a permissive license because I disapprove of + * copyright and wouldn't be willing to sue a violator. Despite not putting + * this code under copyleft (which is also kind of copyright), I do not want + * it to be made proprietary. Hence, the permissive alternative to GPL is the + * Asshole license 1.0 that allows me to call you an asshole if you use it. + * This means you're legally ok regardless of how you utilize this code but if + * you make it into something nonfree, you're an asshole. + * + * You should have received a copy of both GPLv3 and Asshole license 1.0 + * together with this code. If not, please see: + * - https://www.gnu.org/licenses/gpl-3.0.en.html + * - https://koszko.org/asshole-license.txt + */ + +"use strict"; + +(() => { + const TYPE_PREFIX = window.TYPE_PREFIX; + const get_storage = window.get_storage; + const browser = window.browser; + const is_chrome = window.is_chrome; + const gen_unique = window.gen_unique; + const url_item = window.url_item; + const get_query_best = window.get_query_best; + + var storage; + var query_best; + + let csp_header_names = { + "content-security-policy" : true, + "x-webkit-csp" : true, + "x-content-security-policy" : true + }; + + function is_noncsp_header(header) + { + return !csp_header_names[header.name.toLowerCase()]; + } + + function inject(details) + { + let url = url_item(details.url); + + let [pattern, settings] = query_best(url); + + if (settings !== undefined && settings.allow) { + console.log("allowing", url); + return {cancel : false}; + } + + let nonce = gen_unique(url).substring(1); + let headers = details.responseHeaders.filter(is_noncsp_header); + headers.push({ + name : "content-security-policy", + value : `script-src 'nonce-${nonce}'; script-src-elem 'nonce-${nonce}';` + }); + + console.log("modified headers", url, headers); + + return {responseHeaders: headers}; + } + + async function start() { + storage = await get_storage(); + query_best = await get_query_best(); + + let extra_opts = ["blocking", "responseHeaders"]; + if (is_chrome) + extra_opts.push("extraHeaders"); + + browser.webRequest.onHeadersReceived.addListener( + inject, + { + urls: ["<all_urls>"], + types: ["main_frame", "sub_frame"] + }, + extra_opts + ); + } + + window.start_policy_injector = start; +})(); |