aboutsummaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-09-09 17:47:51 +0200
committerWojtek Kosior <koszko@koszko.org>2021-09-09 18:50:58 +0200
commit44e89d8ec71b441a431c848567f34b9a36f6b982 (patch)
tree62881ff7fc0084bdb8a7c29c10e270a9a3b1245d /common
parente2d26bad35bbe3876862b482f7963d713238313b (diff)
downloadbrowser-extension-44e89d8ec71b441a431c848567f34b9a36f6b982.tar.gz
browser-extension-44e89d8ec71b441a431c848567f34b9a36f6b982.zip
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
Diffstat (limited to 'common')
-rw-r--r--common/misc.js68
1 files changed, 11 insertions, 57 deletions
diff --git a/common/misc.js b/common/misc.js
index 6adaf1e..6cded84 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -43,29 +43,19 @@ function gen_nonce(length=16)
return Uint8toHex(randomData);
}
-/* csp rule that blocks all scripts except for those injected by us */
-function csp_rule(nonce)
+/* CSP rule that blocks scripts according to policy's needs. */
+function make_csp_rule(policy)
{
- const rule = `'nonce-${nonce}'`;
- return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;
+ let rule = "prefetch-src 'none'; script-src-attr 'none';";
+ const script_src = policy.has_payload ?
+ `'nonce-${policy.nonce}'` : "'none'";
+ rule += ` script-src ${script_src}; script-src-elem ${script_src};`;
+ return rule;
}
/* Check if some HTTP header might define CSP rules. */
-const csp_header_names = new Set([
- "content-security-policy",
- "x-webkit-csp",
- "x-content-security-policy"
-]);
-
-const report_only_header_name = "content-security-policy-report-only";
-
-function is_csp_header_name(string, include_report_only)
-{
- string = string && string.toLowerCase().trim() || "";
-
- return (include_report_only && string === report_only_header_name) ||
- csp_header_names.has(string);
-}
+const csp_header_regex =
+ /^\s*(content-security-policy|x-webkit-csp|x-content-security-policy)/i;
/*
* Print item together with type, e.g.
@@ -111,41 +101,6 @@ function parse_csp(csp) {
return directives;
}
-/* Make CSP headers do our bidding, not interfere */
-function sanitize_csp_header(header, policy)
-{
- const rule = `'nonce-${policy.nonce}'`;
- const csp = parse_csp(header.value);
-
- if (!policy.allow) {
- /* No snitching */
- delete csp['report-to'];
- delete csp['report-uri'];
-
- delete csp['script-src'];
- delete csp['script-src-elem'];
-
- csp['script-src-attr'] = ["'none'"];
- csp['prefetch-src'] = ["'none'"];
- }
-
- if ('script-src' in csp)
- csp['script-src'].push(rule);
- else
- csp['script-src'] = [rule];
-
- if ('script-src-elem' in csp)
- csp['script-src-elem'].push(rule);
- else
- csp['script-src-elem'] = [rule];
-
- const new_csp = Object.entries(csp).map(
- i => `${i[0]} ${i[1].join(' ')};`
- );
-
- return {name: header.name, value: new_csp.join('')};
-}
-
/* Regexes and objects to use as/in schemas for parse_json_with_schema(). */
const nonempty_string_matcher = /.+/;
@@ -161,12 +116,11 @@ const matchers = {
/*
* EXPORTS_START
* EXPORT gen_nonce
- * EXPORT csp_rule
- * EXPORT is_csp_header_name
+ * EXPORT make_csp_rule
+ * EXPORT csp_header_regex
* EXPORT nice_name
* EXPORT open_in_settings
* EXPORT is_privileged_url
- * EXPORT sanitize_csp_header
* EXPORT matchers
* EXPORTS_END
*/