diff options
| author | jahoti <jahoti@tilde.team> | 2021-09-06 00:00:00 +0000 |
|---|---|---|
| committer | jahoti <jahoti@tilde.team> | 2021-09-06 00:00:00 +0000 |
| commit | 5dab077b9bb7564f2c556b197c5c416c41783112 (patch) | |
| tree | d6f1230a4814c79b59147af474ce3e2683bb25ad /content | |
| parent | 51d43685c667567516cfbda8dfeb75e98c00619f (diff) | |
| download | browser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.tar.gz browser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.zip | |
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
Diffstat (limited to 'content')
| -rw-r--r-- | content/main.js | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/content/main.js b/content/main.js index b2cc9ed..3ebf093 100644 --- a/content/main.js +++ b/content/main.js @@ -17,7 +17,7 @@ * IMPORT is_chrome * IMPORT is_mozilla * IMPORT start_activity_info_server - * IMPORT csp_rule + * IMPORT make_csp_rule * IMPORT is_csp_header_name * IMPORT sanitize_csp_header * IMPORTS_END @@ -175,9 +175,6 @@ function sanitize_meta(meta, policy) return; block_attribute(meta, "content"); - - if (is_csp_header_name(http_equiv, false)) - meta.content = sanitize_csp_header({value}, policy).value; } function sanitize_script(script) @@ -204,7 +201,7 @@ function apply_hachette_csp_rules(doc, policy) { const meta = doc.createElement("meta"); meta.setAttribute("http-equiv", "Content-Security-Policy"); - meta.setAttribute("content", csp_rule(policy.nonce)); + meta.setAttribute("content", make_csp_rule(policy)); doc.head.append(meta); /* CSP is already in effect, we can remove the <meta> now. */ meta.remove(); @@ -240,13 +237,15 @@ async function sanitize_document(doc, policy) for (const meta of old_html.querySelectorAll("head meta")) sanitize_meta(meta, policy); - for (const script of old_html.querySelectorAll("script")) - sanitize_script(script, policy); + if (!policy.allow) + for (const script of old_html.querySelectorAll("script")) + sanitize_script(script, policy); new_html.replaceWith(old_html); - for (const script of old_html.querySelectorAll("script")) - desanitize_script(script, policy); + if (!policy.allow) + for (const script of old_html.querySelectorAll("script")) + desanitize_script(script, policy); } if (!is_privileged_url(document.URL)) { @@ -282,7 +281,7 @@ if (!is_privileged_url(document.URL)) { } const doc_ready = Promise.all([ - policy.allow ? Promise.resolve : sanitize_document(document, policy), + (policy.allow && !policy.has_payload) ? Promise.resolve : sanitize_document(document, policy), new Promise(cb => document.addEventListener("DOMContentLoaded", cb, {once: true})) ]); |