aboutsummaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-07-12 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-07-12 00:00:00 +0000
commitdcfc78b0d175bee7b3b7e273282078d50bd4ca09 (patch)
treec5cc3a032ec1cdcc548bfdc8f0209c43bd14114d /background
parent0e002513d443ef7cddcc17acf178478844f609e9 (diff)
downloadbrowser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.tar.gz
browser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.zip
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism.
Diffstat (limited to 'background')
-rw-r--r--background/nonce_store.js30
-rw-r--r--background/page_actions_server.js2
-rw-r--r--background/policy_injector.js4
3 files changed, 34 insertions, 2 deletions
diff --git a/background/nonce_store.js b/background/nonce_store.js
new file mode 100644
index 0000000..9370876
--- /dev/null
+++ b/background/nonce_store.js
@@ -0,0 +1,30 @@
+/**
+ * Central management of HTTP(S) nonces
+ *
+ * Copyright (C) 2021 jahoti
+ * Redistribution terms are gathered in the `copyright' file.
+ */
+
+/*
+ * IMPORTS_START
+ * IMPORT gen_nonce
+ * IMPORTS_END
+ */
+
+var nonces = {};
+
+function retrieve_nonce(tabId, frameId, update)
+{
+ let code = tabId + '.' + frameId;
+ console.log('Nonce for ' + code + ' ' + (update ? 'created/updated' : 'requested'));
+ if (update)
+ nonces[code] = gen_nonce();
+
+ return nonces[code];
+}
+
+/*
+ * EXPORTS_START
+ * EXPORT retrieve_nonce
+ * EXPORTS_END
+ */
diff --git a/background/page_actions_server.js b/background/page_actions_server.js
index 2d9c333..d92b870 100644
--- a/background/page_actions_server.js
+++ b/background/page_actions_server.js
@@ -11,6 +11,7 @@
* IMPORT TYPE_PREFIX
* IMPORT CONNECTION_TYPE
* IMPORT browser
+ * IMPORT retrieve_nonce
* IMPORT listen_for_connection
* IMPORT sha256
* IMPORT get_query_best
@@ -137,6 +138,7 @@ function handle_message(port, message, handler)
function new_connection(port)
{
console.log("new page actions connection!");
+ port.postMessage(['nonce', retrieve_nonce((port.sender.tab || '').id, port.sender.frameId)]);
let handler = [];
handler.push(m => handle_message(port, m, handler));
port.onMessage.addListener(handler[0]);
diff --git a/background/policy_injector.js b/background/policy_injector.js
index eb67963..9f79425 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -11,7 +11,7 @@
* IMPORT get_storage
* IMPORT browser
* IMPORT is_chrome
- * IMPORT gen_unique
+ * IMPORT retrieve_nonce
* IMPORT url_item
* IMPORT get_query_best
* IMPORT csp_rule
@@ -45,7 +45,7 @@ function inject(details)
const [pattern, settings] = query_best(url);
- const nonce = gen_unique(url);
+ const nonce = retrieve_nonce(details.tabId, details.frameId, true);
const rule = csp_rule(nonce);
var headers;