summaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
authorWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-06-18 11:45:01 +0200
committerWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-06-18 11:45:01 +0200
commit7ee7889ae8f1473474254553ec3b3469fb0a935b (patch)
tree153fe596bc65600e21d856f97231f8195f79b9ec /background
parent6bae771df7b238f8ef4e992660e911fb5808299c (diff)
downloadbrowser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.tar.gz
browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.zip
when possible inject CSP as http(s) header using webRequest instead of adding a <meta> tag
Diffstat (limited to 'background')
-rw-r--r--background/background.html2
-rw-r--r--background/main.js4
-rw-r--r--background/policy_injector.js93
3 files changed, 96 insertions, 3 deletions
diff --git a/background/background.html b/background/background.html
index b3e8010..53a74e9 100644
--- a/background/background.html
+++ b/background/background.html
@@ -37,7 +37,7 @@
<script src="./settings_query.js"></script>
<script src="./page_actions_server.js"></script>
<script src="/common/gen_unique.js"></script>
- <script src="./policy_smuggler.js"></script>
+ <script src="./policy_injector.js"></script>
<script src="./main.js"></script>
</head>
</html>
diff --git a/background/main.js b/background/main.js
index 4af7aa0..2f35321 100644
--- a/background/main.js
+++ b/background/main.js
@@ -30,12 +30,12 @@
const get_storage = window.get_storage;
const start_storage_server = window.start_storage_server;
const start_page_actions_server = window.start_page_actions_server;
- const start_policy_smuggler = window.start_policy_smuggler;
+ const start_policy_injector = window.start_policy_injector;
const browser = window.browser;
start_storage_server();
start_page_actions_server();
- start_policy_smuggler();
+ start_policy_injector();
async function init_myext(install_details)
{
diff --git a/background/policy_injector.js b/background/policy_injector.js
new file mode 100644
index 0000000..e2d6358
--- /dev/null
+++ b/background/policy_injector.js
@@ -0,0 +1,93 @@
+/**
+ * Myext injecting policy to page using webRequest
+ *
+ * Copyright (C) 2021 Wojtek Kosior
+ *
+ * This code is dual-licensed under:
+ * - Asshole license 1.0,
+ * - GPLv3 or (at your option) any later version
+ *
+ * "dual-licensed" means you can choose the license you prefer.
+ *
+ * This code is released under a permissive license because I disapprove of
+ * copyright and wouldn't be willing to sue a violator. Despite not putting
+ * this code under copyleft (which is also kind of copyright), I do not want
+ * it to be made proprietary. Hence, the permissive alternative to GPL is the
+ * Asshole license 1.0 that allows me to call you an asshole if you use it.
+ * This means you're legally ok regardless of how you utilize this code but if
+ * you make it into something nonfree, you're an asshole.
+ *
+ * You should have received a copy of both GPLv3 and Asshole license 1.0
+ * together with this code. If not, please see:
+ * - https://www.gnu.org/licenses/gpl-3.0.en.html
+ * - https://koszko.org/asshole-license.txt
+ */
+
+"use strict";
+
+(() => {
+ const TYPE_PREFIX = window.TYPE_PREFIX;
+ const get_storage = window.get_storage;
+ const browser = window.browser;
+ const is_chrome = window.is_chrome;
+ const gen_unique = window.gen_unique;
+ const url_item = window.url_item;
+ const get_query_best = window.get_query_best;
+
+ var storage;
+ var query_best;
+
+ let csp_header_names = {
+ "content-security-policy" : true,
+ "x-webkit-csp" : true,
+ "x-content-security-policy" : true
+ };
+
+ function is_noncsp_header(header)
+ {
+ return !csp_header_names[header.name.toLowerCase()];
+ }
+
+ function inject(details)
+ {
+ let url = url_item(details.url);
+
+ let [pattern, settings] = query_best(url);
+
+ if (settings !== undefined && settings.allow) {
+ console.log("allowing", url);
+ return {cancel : false};
+ }
+
+ let nonce = gen_unique(url).substring(1);
+ let headers = details.responseHeaders.filter(is_noncsp_header);
+ headers.push({
+ name : "content-security-policy",
+ value : `script-src 'nonce-${nonce}'; script-src-elem 'nonce-${nonce}';`
+ });
+
+ console.log("modified headers", url, headers);
+
+ return {responseHeaders: headers};
+ }
+
+ async function start() {
+ storage = await get_storage();
+ query_best = await get_query_best();
+
+ let extra_opts = ["blocking", "responseHeaders"];
+ if (is_chrome)
+ extra_opts.push("extraHeaders");
+
+ browser.webRequest.onHeadersReceived.addListener(
+ inject,
+ {
+ urls: ["<all_urls>"],
+ types: ["main_frame", "sub_frame"]
+ },
+ extra_opts
+ );
+ }
+
+ window.start_policy_injector = start;
+})();