summaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-08-20 12:57:48 +0200
committerWojtek Kosior <koszko@koszko.org>2021-08-20 12:57:48 +0200
commitd09b7ee10541b5a81430d2e11abb3a9a09643ade (patch)
tree71e6f51ca3842e0a5bfd9900db15dbbd873b2ba0 /background
parent3d0efa153c95f3bf4912379f910bc59d0fd563c9 (diff)
downloadbrowser-extension-d09b7ee10541b5a81430d2e11abb3a9a09643ade.tar.gz
browser-extension-d09b7ee10541b5a81430d2e11abb3a9a09643ade.zip
sanitize `<meta>' tags containing CSP rules under Chromium
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
Diffstat (limited to 'background')
-rw-r--r--background/policy_injector.js23
1 files changed, 7 insertions, 16 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 702f879..3398b53 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -18,19 +18,12 @@
* IMPORT query_best
* IMPORT sanitize_csp_header
* IMPORT csp_rule
+ * IMPORT is_csp_header_name
* IMPORTS_END
*/
var storage;
-const csp_header_names = new Set([
- "content-security-policy",
- "x-webkit-csp",
- "x-content-security-policy"
-]);
-
-const report_only = "content-security-policy-report-only";
-
function headers_inject(details)
{
const url = details.url;
@@ -40,7 +33,6 @@ function headers_inject(details)
const [pattern, settings] = query_best(storage, url);
const allow = !!(settings && settings.allow);
const nonce = gen_nonce();
- const rule = `'nonce-${nonce}'`;
let orig_csp_headers;
let old_signature;
@@ -70,20 +62,19 @@ function headers_inject(details)
}
orig_csp_headers = orig_csp_headers ||
- headers.filter(h => csp_header_names.has(h.name.toLowerCase()));
- headers = headers.filter(h => !csp_header_names.has(h.name.toLowerCase()));
+ headers.filter(h => is_csp_header_name(h.name));
- /* Remove headers that only snitch on us */
- if (!allow)
- headers = headers.filter(h => h.name.toLowerCase() !== report_only);
+ /* When blocking remove report-only CSP headers that snitch on us. */
+ headers = headers.filter(h => !is_csp_header_name(h.name, !allow));
if (old_signature)
headers = headers.filter(h => h.name.search(old_signature) === -1);
- const sanitizer = h => sanitize_csp_header(h, rule, allow);
+ const policy_object = {allow, nonce, url};
+ const sanitizer = h => sanitize_csp_header(h, policy_object);
headers.push(...orig_csp_headers.map(sanitizer));
- const policy = encodeURIComponent(JSON.stringify({allow, nonce, url}));
+ const policy = encodeURIComponent(JSON.stringify(policy_object));
const policy_signature = sign_data(policy, new Date());
const later_30sec = new Date(new Date().getTime() + 30000).toGMTString();
headers.push({