summaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-08-20 12:57:48 +0200
committerWojtek Kosior <koszko@koszko.org>2021-08-20 12:57:48 +0200
commitd09b7ee10541b5a81430d2e11abb3a9a09643ade (patch)
tree71e6f51ca3842e0a5bfd9900db15dbbd873b2ba0 /common
parent3d0efa153c95f3bf4912379f910bc59d0fd563c9 (diff)
downloadbrowser-extension-d09b7ee10541b5a81430d2e11abb3a9a09643ade.tar.gz
browser-extension-d09b7ee10541b5a81430d2e11abb3a9a09643ade.zip
sanitize `<meta>' tags containing CSP rules under Chromium
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
Diffstat (limited to 'common')
-rw-r--r--common/misc.js27
1 files changed, 23 insertions, 4 deletions
diff --git a/common/misc.js b/common/misc.js
index 6e825d6..8894d60 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -78,6 +78,23 @@ function csp_rule(nonce)
return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;
}
+/* Check if some HTTP header might define CSP rules. */
+const csp_header_names = new Set([
+ "content-security-policy",
+ "x-webkit-csp",
+ "x-content-security-policy"
+]);
+
+const report_only_header_name = "content-security-policy-report-only";
+
+function is_csp_header_name(string, include_report_only)
+{
+ string = string && string.toLowerCase() || "";
+
+ return (include_report_only && string === report_only_header_name) ||
+ csp_header_names.has(string);
+}
+
/*
* Print item together with type, e.g.
* nice_name("s", "hello") → "hello (script)"
@@ -127,11 +144,12 @@ function parse_csp(csp) {
}
/* Make CSP headers do our bidding, not interfere */
-function sanitize_csp_header(header, rule, allow)
+function sanitize_csp_header(header, policy)
{
+ const rule = `'nonce-${policy.nonce}'`;
const csp = parse_csp(header.value);
- if (!allow) {
+ if (!policy.allow) {
/* No snitching */
delete csp['report-to'];
delete csp['report-uri'];
@@ -153,11 +171,11 @@ function sanitize_csp_header(header, rule, allow)
else
csp['script-src-elem'] = [rule];
- const new_policy = Object.entries(csp).map(
+ const new_csp = Object.entries(csp).map(
i => `${i[0]} ${i[1].join(' ')};`
);
- return {name: header.name, value: new_policy.join('')};
+ return {name: header.name, value: new_csp.join('')};
}
/* Regexes and objest to use as/in schemas for parse_json_with_schema(). */
@@ -178,6 +196,7 @@ const matchers = {
* EXPORT extract_signed
* EXPORT sign_data
* EXPORT csp_rule
+ * EXPORT is_csp_header_name
* EXPORT nice_name
* EXPORT open_in_settings
* EXPORT is_privileged_url