Stop using the nonce consistently for a URL

Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores them by tab and frame IDs. In order to
support the increased variance in nonce-generating methods and allow them to
be loaded from the background, handle_page_actions is now invoked separately
according to (non-)blocking mechanism.

1 files changed, 19 insertions, 0 deletions

diff --git a/common/misc.js b/common/misc.js
index 8b56e79..7e48059 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -2,6 +2,7 @@
  * Myext miscellaneous operations refactored to a separate file
  *
  * Copyright (C) 2021 Wojtek Kosior
+ * Copyright (C) 2021 jahoti
  * Redistribution terms are gathered in the `copyright' file.
  */
 
@@ -18,6 +19,23 @@
  * generating unique, per-site value that can be computed synchronously
  * and is impossible to guess for a malicious website
  */
+
+/* Uint8toHex is a separate function not exported as (a) it's useful and (b) it will be used in crypto.subtle-based digests */
+function Uint8toHex(data)
+{
+    let returnValue = '';
+    for (let byte of data)
+	returnValue += ('00' + byte.toString(16)).slice(-2);
+    return returnValue;
+}
+
+function gen_nonce(length) // Default 16
+{
+    let randomData = new Uint8Array(length || 16);
+    crypto.getRandomValues(randomData);
+    return Uint8toHex(randomData);
+}
+
 function gen_unique(url)
 {
     return sha256(get_secure_salt() + url);
@@ -98,6 +116,7 @@ function is_privileged_url(url)
 /*
  * EXPORTS_START
  * EXPORT gen_unique
+ * EXPORT gen_nonce
  * EXPORT url_item
  * EXPORT url_extract_target
  * EXPORT csp_rule