aboutsummaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-09-06 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-09-06 00:00:00 +0000
commit5dab077b9bb7564f2c556b197c5c416c41783112 (patch)
treed6f1230a4814c79b59147af474ce3e2683bb25ad /content
parent51d43685c667567516cfbda8dfeb75e98c00619f (diff)
downloadbrowser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.tar.gz
browser-extension-5dab077b9bb7564f2c556b197c5c416c41783112.zip
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified. Also, filtering is applied whenever a payload is injected.
Diffstat (limited to 'content')
-rw-r--r--content/main.js19
1 files changed, 9 insertions, 10 deletions
diff --git a/content/main.js b/content/main.js
index b2cc9ed..3ebf093 100644
--- a/content/main.js
+++ b/content/main.js
@@ -17,7 +17,7 @@
* IMPORT is_chrome
* IMPORT is_mozilla
* IMPORT start_activity_info_server
- * IMPORT csp_rule
+ * IMPORT make_csp_rule
* IMPORT is_csp_header_name
* IMPORT sanitize_csp_header
* IMPORTS_END
@@ -175,9 +175,6 @@ function sanitize_meta(meta, policy)
return;
block_attribute(meta, "content");
-
- if (is_csp_header_name(http_equiv, false))
- meta.content = sanitize_csp_header({value}, policy).value;
}
function sanitize_script(script)
@@ -204,7 +201,7 @@ function apply_hachette_csp_rules(doc, policy)
{
const meta = doc.createElement("meta");
meta.setAttribute("http-equiv", "Content-Security-Policy");
- meta.setAttribute("content", csp_rule(policy.nonce));
+ meta.setAttribute("content", make_csp_rule(policy));
doc.head.append(meta);
/* CSP is already in effect, we can remove the <meta> now. */
meta.remove();
@@ -240,13 +237,15 @@ async function sanitize_document(doc, policy)
for (const meta of old_html.querySelectorAll("head meta"))
sanitize_meta(meta, policy);
- for (const script of old_html.querySelectorAll("script"))
- sanitize_script(script, policy);
+ if (!policy.allow)
+ for (const script of old_html.querySelectorAll("script"))
+ sanitize_script(script, policy);
new_html.replaceWith(old_html);
- for (const script of old_html.querySelectorAll("script"))
- desanitize_script(script, policy);
+ if (!policy.allow)
+ for (const script of old_html.querySelectorAll("script"))
+ desanitize_script(script, policy);
}
if (!is_privileged_url(document.URL)) {
@@ -282,7 +281,7 @@ if (!is_privileged_url(document.URL)) {
}
const doc_ready = Promise.all([
- policy.allow ? Promise.resolve : sanitize_document(document, policy),
+ (policy.allow && !policy.has_payload) ? Promise.resolve : sanitize_document(document, policy),
new Promise(cb => document.addEventListener("DOMContentLoaded",
cb, {once: true}))
]);