diff options
author | jahoti <jahoti@tilde.team> | 2021-09-06 00:00:00 +0000 |
---|---|---|
committer | jahoti <jahoti@tilde.team> | 2021-09-06 00:00:00 +0000 |
commit | 5dab077b9bb7564f2c556b197c5c416c41783112 (patch) | |
tree | d6f1230a4814c79b59147af474ce3e2683bb25ad /common/misc.js | |
parent | 51d43685c667567516cfbda8dfeb75e98c00619f (diff) | |
download | browser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.tar.gz browser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.zip |
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
Diffstat (limited to 'common/misc.js')
-rw-r--r-- | common/misc.js | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/common/misc.js b/common/misc.js index 91d60d2..97fc2dc 100644 --- a/common/misc.js +++ b/common/misc.js @@ -146,6 +146,17 @@ function sanitize_csp_header(header, policy) return {name: header.name, value: new_csp.join('')}; } +/* csp rule that blocks all scripts except for those injected by us */ +function make_csp_rule(policy) +{ + let rule = "prefetch-src 'none'; ", nonce = `'nonce-${policy.nonce}'`; + if (!policy.allow) { + rule += `script-src ${nonce}; script-src-elem ${nonce}; ` + + "script-src-attr 'none'; "; + } + return rule; +} + /* Regexes and objects to use as/in schemas for parse_json_with_schema(). */ const nonempty_string_matcher = /.+/; @@ -161,7 +172,7 @@ const matchers = { /* * EXPORTS_START * EXPORT gen_nonce - * EXPORT csp_rule + * EXPORT make_csp_rule * EXPORT is_csp_header_name * EXPORT nice_name * EXPORT open_in_settings |