aboutsummaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-09-09 17:47:51 +0200
committerWojtek Kosior <koszko@koszko.org>2021-09-09 18:50:58 +0200
commit44e89d8ec71b441a431c848567f34b9a36f6b982 (patch)
tree62881ff7fc0084bdb8a7c29c10e270a9a3b1245d /background
parente2d26bad35bbe3876862b482f7963d713238313b (diff)
downloadbrowser-extension-44e89d8ec71b441a431c848567f34b9a36f6b982.tar.gz
browser-extension-44e89d8ec71b441a431c848567f34b9a36f6b982.zip
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
Diffstat (limited to 'background')
-rw-r--r--background/policy_injector.js30
-rw-r--r--background/stream_filter.js5
2 files changed, 18 insertions, 17 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 72318d4..e5af055 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -10,9 +10,8 @@
* IMPORTS_START
* IMPORT sign_data
* IMPORT extract_signed
- * IMPORT sanitize_csp_header
- * IMPORT csp_rule
- * IMPORT is_csp_header_name
+ * IMPORT make_csp_rule
+ * IMPORT csp_header_regex
* IMPORTS_END
*/
@@ -43,22 +42,25 @@ function inject_csp_headers(headers, policy)
break;
}
+ if (policy.has_payload) {
+ csp_headers = [];
+ const non_csp_headers = [];
+ const header_list =
+ h => csp_header_regex.test(h) ? csp_headers : non_csp_headers;
+ headers.forEach(h => header_list(h.name).push(h));
+ headers = non_csp_headers;
+ } else {
+ headers.push(...csp_headers || []);
+ }
+
if (!hachette_header) {
hachette_header = {name: "x-hachette"};
headers.push(hachette_header);
}
- csp_headers = csp_headers ||
- headers.filter(h => is_csp_header_name(h.name));
-
- /* When blocking remove report-only CSP headers that snitch on us. */
- headers = headers.filter(h => !is_csp_header_name(h.name, !policy.allow));
-
if (old_signature)
headers = headers.filter(h => h.value.search(old_signature) === -1);
- headers.push(...csp_headers.map(h => sanitize_csp_header(h, policy)));
-
const policy_str = encodeURIComponent(JSON.stringify(policy));
const signed_policy = sign_data(policy_str, new Date().getTime());
const later_30sec = new Date(new Date().getTime() + 30000).toGMTString();
@@ -76,12 +78,12 @@ function inject_csp_headers(headers, policy)
hachette_data = encodeURIComponent(JSON.stringify(hachette_data));
hachette_header.value = sign_data(hachette_data, 0).join("_");
- /* To ensure there is a CSP header if required */
- if (!policy.allow)
+ if (!policy.allow) {
headers.push({
name: "content-security-policy",
- value: csp_rule(policy.nonce)
+ value: make_csp_rule(policy)
});
+ }
return headers;
}
diff --git a/background/stream_filter.js b/background/stream_filter.js
index 96b6132..3e30a4b 100644
--- a/background/stream_filter.js
+++ b/background/stream_filter.js
@@ -12,7 +12,7 @@
/*
* IMPORTS_START
* IMPORT browser
- * IMPORT is_csp_header_name
+ * IMPORT csp_header_regex
* IMPORTS_END
*/
@@ -116,8 +116,7 @@ function may_define_csp_rules(html)
const doc = new DOMParser().parseFromString(html, "text/html");
for (const meta of doc.querySelectorAll("head>meta[http-equiv]")) {
- if (is_csp_header_name(meta.getAttribute("http-equiv"), true) &&
- meta.content)
+ if (csp_header_regex.test(meta.httpEquiv) && meta.content)
return true;
}