diff options
| author | jahoti <jahoti@tilde.team> | 2021-07-12 00:00:00 +0000 |
|---|---|---|
| committer | jahoti <jahoti@tilde.team> | 2021-07-12 00:00:00 +0000 |
| commit | dcfc78b0d175bee7b3b7e273282078d50bd4ca09 (patch) | |
| tree | c5cc3a032ec1cdcc548bfdc8f0209c43bd14114d /background | |
| parent | 0e002513d443ef7cddcc17acf178478844f609e9 (diff) | |
| download | browser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.tar.gz browser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.zip | |
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores them by tab and frame IDs. In order to
support the increased variance in nonce-generating methods and allow them to
be loaded from the background, handle_page_actions is now invoked separately
according to (non-)blocking mechanism.
Diffstat (limited to 'background')
| -rw-r--r-- | background/nonce_store.js | 30 | ||||
| -rw-r--r-- | background/page_actions_server.js | 2 | ||||
| -rw-r--r-- | background/policy_injector.js | 4 |
3 files changed, 34 insertions, 2 deletions
diff --git a/background/nonce_store.js b/background/nonce_store.js new file mode 100644 index 0000000..9370876 --- /dev/null +++ b/background/nonce_store.js @@ -0,0 +1,30 @@ +/** + * Central management of HTTP(S) nonces + * + * Copyright (C) 2021 jahoti + * Redistribution terms are gathered in the `copyright' file. + */ + +/* + * IMPORTS_START + * IMPORT gen_nonce + * IMPORTS_END + */ + +var nonces = {}; + +function retrieve_nonce(tabId, frameId, update) +{ + let code = tabId + '.' + frameId; + console.log('Nonce for ' + code + ' ' + (update ? 'created/updated' : 'requested')); + if (update) + nonces[code] = gen_nonce(); + + return nonces[code]; +} + +/* + * EXPORTS_START + * EXPORT retrieve_nonce + * EXPORTS_END + */ diff --git a/background/page_actions_server.js b/background/page_actions_server.js index 2d9c333..d92b870 100644 --- a/background/page_actions_server.js +++ b/background/page_actions_server.js @@ -11,6 +11,7 @@ * IMPORT TYPE_PREFIX * IMPORT CONNECTION_TYPE * IMPORT browser + * IMPORT retrieve_nonce * IMPORT listen_for_connection * IMPORT sha256 * IMPORT get_query_best @@ -137,6 +138,7 @@ function handle_message(port, message, handler) function new_connection(port) { console.log("new page actions connection!"); + port.postMessage(['nonce', retrieve_nonce((port.sender.tab || '').id, port.sender.frameId)]); let handler = []; handler.push(m => handle_message(port, m, handler)); port.onMessage.addListener(handler[0]); diff --git a/background/policy_injector.js b/background/policy_injector.js index eb67963..9f79425 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -11,7 +11,7 @@ * IMPORT get_storage * IMPORT browser * IMPORT is_chrome - * IMPORT gen_unique + * IMPORT retrieve_nonce * IMPORT url_item * IMPORT get_query_best * IMPORT csp_rule @@ -45,7 +45,7 @@ function inject(details) const [pattern, settings] = query_best(url); - const nonce = gen_unique(url); + const nonce = retrieve_nonce(details.tabId, details.frameId, true); const rule = csp_rule(nonce); var headers; |