aboutsummaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-06-30 16:39:53 +0200
committerWojtek Kosior <koszko@koszko.org>2021-06-30 16:39:53 +0200
commit12fd4fc3a01eb9718a60c8d04860c4e797049b26 (patch)
tree1ecbe7483fe79eae04fcdba627193b48b81a5e60 /background
parentc49e3750ffaa7ab9ba5fea9e1f5af1df91e1f829 (diff)
downloadbrowser-extension-12fd4fc3a01eb9718a60c8d04860c4e797049b26.tar.gz
browser-extension-12fd4fc3a01eb9718a60c8d04860c4e797049b26.zip
fix whitelisting under Firefox
Diffstat (limited to 'background')
-rw-r--r--background/policy_injector.js45
1 files changed, 32 insertions, 13 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 4f70aac..eb67963 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -21,33 +21,52 @@
var storage;
var query_best;
-let csp_header_names = {
+const csp_header_names = {
"content-security-policy" : true,
"x-webkit-csp" : true,
"x-content-security-policy" : true
};
-function is_noncsp_header(header)
+const header_name = "content-security-policy";
+
+function is_csp_header(header)
+{
+ return !!csp_header_names[header.name.toLowerCase()];
+}
+
+function is_our_header(header, rule)
{
- return !csp_header_names[header.name.toLowerCase()];
+ return header.value === rule
}
function inject(details)
{
- let url = url_item(details.url);
+ const url = url_item(details.url);
+
+ const [pattern, settings] = query_best(url);
+
+ const nonce = gen_unique(url);
+ const rule = csp_rule(nonce);
- let [pattern, settings] = query_best(url);
+ var headers;
- if (settings !== undefined && settings.allow)
- return {cancel : false};
+ if (settings !== undefined && settings.allow) {
+ /*
+ * Chrome doesn't have the buggy behavior of repeatedly injecting a
+ * header we injected once. Firefox does and we have to remove it there.
+ */
+ if (is_chrome)
+ return {cancel: false};
- let nonce = gen_unique(url);
- let headers = details.responseHeaders.filter(is_noncsp_header);
+ headers = details.responseHeaders.filter(h => !is_our_header(h, rule));
+ } else {
+ headers = details.responseHeaders.filter(h => !is_csp_header(h));
- headers.push({
- name : "content-security-policy",
- value : csp_rule(nonce)
- });
+ headers.push({
+ name : header_name,
+ value : rule
+ });
+ }
return {responseHeaders: headers};
}