summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-08-26 11:50:36 +0200
committerWojtek Kosior <koszko@koszko.org>2021-08-26 11:50:36 +0200
commit2875397fb887a5b09b5f39d6b3a75419a516dd07 (patch)
tree36773a9bb3a60c2cb271191b7aaf2f75db5a191a /content
parent6b53d6c840140fc5df6d7638808b978d96502a35 (diff)
downloadbrowser-extension-2875397fb887a5b09b5f39d6b3a75419a516dd07.tar.gz
browser-extension-2875397fb887a5b09b5f39d6b3a75419a516dd07.zip
improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.
Diffstat (limited to 'content')
-rw-r--r--content/main.js33
1 files changed, 26 insertions, 7 deletions
diff --git a/content/main.js b/content/main.js
index 4ae7738..984b3cb 100644
--- a/content/main.js
+++ b/content/main.js
@@ -32,17 +32,36 @@ function accept_node(node, parent)
}
if (!is_privileged_url(document.URL)) {
- const reductor =
- (ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig];
- const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)];
- let [policy, signature] = matches.reduce(reductor, []);
+ /* Signature valid for half an hour. */
+ const min_time = new Date().getTime() - 1800 * 1000;
+ let best_result = {time: -1};
+ let policy = null;
+ const extracted_signatures = [];
+ for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) {
+ const new_result = extract_signed(...match.slice(1, 3));
+ if (new_result.fail)
+ continue;
- if (!policy || policy.url !== document.URL) {
- console.log("WARNING! Using default policy!!!");
+ extracted_signatures.push(match[1]);
+
+ if (new_result.time < Math.max(min_time, best_result.time))
+ continue;
+
+ /* This should succeed - it's our self-produced valid JSON. */
+ const new_policy = JSON.parse(decodeURIComponent(new_result.data));
+ if (new_policy.url !== document.URL)
+ continue;
+
+ best_result = new_result;
+ policy = new_policy;
+ }
+
+ if (!policy) {
+ console.warn("WARNING! Using default policy!!!");
policy = {allow: false, nonce: gen_nonce()};
}
- if (signature)
+ for (const signature of extracted_signatures)
document.cookie = `hachette-${signature}=; Max-Age=-1;`;
handle_page_actions(policy.nonce);