diff options
author | jahoti <jahoti@tilde.team> | 2021-09-21 00:00:00 +0000 |
---|---|---|
committer | jahoti <jahoti@tilde.team> | 2021-09-21 00:00:00 +0000 |
commit | 59fb32a341d42c685b5167c3d8b4d7b87c49fd18 (patch) | |
tree | 17143cd40a59eb06b4e698d6fd9ca9d02abaf2b9 /common/signing.js | |
parent | b1444d9c9ea065d7c97d5809c3ec5259cb01a1da (diff) | |
parent | 960363e7dd98a724246320e49c3fbaff9d68d1bd (diff) | |
download | browser-extension-59fb32a341d42c685b5167c3d8b4d7b87c49fd18.tar.gz browser-extension-59fb32a341d42c685b5167c3d8b4d7b87c49fd18.zip |
Merge branch 'master' into jahoti-update
Diffstat (limited to 'common/signing.js')
-rw-r--r-- | common/signing.js | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/common/signing.js b/common/signing.js index 2171714..11cd442 100644 --- a/common/signing.js +++ b/common/signing.js @@ -1,6 +1,7 @@ /** - * part of Hachette - * Functions related to "signing" of data, refactored to a separate file. + * This file is part of Haketilo. + * + * Functions: Operations related to "signing" of data. * * Copyright (C) 2021 Wojtek Kosior * Redistribution terms are gathered in the `copyright' file. @@ -10,13 +11,13 @@ * IMPORTS_START * IMPORT sha256 * IMPORT browser - * IMPORT is_chrome + * IMPORT is_mozilla * IMPORTS_END */ /* * In order to make certain data synchronously accessible in certain contexts, - * hachette smuggles it in string form in places like cookies, URLs and headers. + * Haketilo smuggles it in string form in places like cookies, URLs and headers. * When using the smuggled data, we first need to make sure it isn't spoofed. * For that, we use this pseudo-signing mechanism. * @@ -30,18 +31,18 @@ * * The secret shared between execution contexts has to be available * synchronously. Under Mozilla, this is the extension's per-session id. Under - * Chromium, this is the key that resides in the manifest. - * - * An idea to (under Chromium) instead store the secret in a file fetched - * synchronously using XMLHttpRequest is being considered. + * Chromium, this is a dummy web-accessible-resource name that resides in the + * manifest and is supposed to be constructed by each user using a unique value + * (this is done automatically by `build.sh'). */ function get_secret() { - if (is_chrome) - return browser.runtime.getManifest().key.substring(0, 50); - else + if (is_mozilla) return browser.runtime.getURL("dummy"); + + return chrome.runtime.getManifest().web_accessible_resources + .map(r => /^chromium-key-dummy-file-(.*)/.exec(r)).filter(r => r)[0][1]; } function extract_signed(signature, signed_data) |