summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-07-16 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-07-16 00:00:00 +0000
commit692577bbde5e8110855c022ec913324dfddce9ae (patch)
tree6cc013453cdac80fd427c63994f2f7cc019d9c42 /content
parent0e002513d443ef7cddcc17acf178478844f609e9 (diff)
downloadbrowser-extension-692577bbde5e8110855c022ec913324dfddce9ae.tar.gz
browser-extension-692577bbde5e8110855c022ec913324dfddce9ae.zip
Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there.
Diffstat (limited to 'content')
-rw-r--r--content/main.js49
1 files changed, 16 insertions, 33 deletions
diff --git a/content/main.js b/content/main.js
index 9acf749..e75f61d 100644
--- a/content/main.js
+++ b/content/main.js
@@ -2,6 +2,7 @@
* Myext main content script run in all frames
*
* Copyright (C) 2021 Wojtek Kosior
+ * Copyright (C) 2021 jahoti
* Redistribution terms are gathered in the `copyright' file.
*/
@@ -10,7 +11,9 @@
* IMPORT handle_page_actions
* IMPORT url_item
* IMPORT url_extract_target
+ * IMPORT url_extract_policy
* IMPORT gen_unique
+ * IMPORT gen_nonce
* IMPORT csp_rule
* IMPORT is_privileged_url
* IMPORT sanitize_attributes
@@ -32,32 +35,6 @@
* urls has not yet been added to the extension.
*/
-let url = url_item(document.URL);
-let unique = gen_unique(url);
-
-
-function is_http()
-{
- return !!/^https?:\/\//i.exec(document.URL);
-}
-
-function is_whitelisted()
-{
- const parsed_url = url_extract_target(document.URL);
-
- if (parsed_url.target !== undefined &&
- parsed_url.target === '#' + unique) {
- if (parsed_url.target2 !== undefined)
- window.location.href = parsed_url.base_url + parsed_url.target2;
- else
- history.replaceState(null, "", parsed_url.base_url);
-
- return true;
- }
-
- return false;
-}
-
function handle_mutation(mutations, observer)
{
if (document.readyState === 'complete') {
@@ -113,7 +90,7 @@ function inject_csp(head)
let meta = document.createElement("meta");
meta.setAttribute("http-equiv", "Content-Security-Policy");
- meta.setAttribute("content", csp_rule(unique));
+ meta.setAttribute("content", csp_rule(nonce));
if (head.firstElementChild === null)
head.appendChild(meta);
@@ -122,14 +99,20 @@ function inject_csp(head)
}
if (!is_privileged_url(document.URL)) {
+ const targets = url_extract_policy(document.URL);
+ targets.policy = targets.policy || {};
+ const nonce = targets.policy.nonce || gen_nonce();
+
+ if (targets.signed)
+ if (targets.target2 !== undefined)
+ window.location.href = targets.base_url + targets.target2;
+ else
+ history.replaceState(null, "", targets.base_url);
+
start_activity_info_server();
- handle_page_actions(unique);
+ handle_page_actions(nonce);
- if (is_http()) {
- /* rely on CSP injected through webRequest */
- } else if (is_whitelisted()) {
- /* do not block scripts at all */
- } else {
+ if (!targets.policy.allow) {
block_nodes_recursively(document.documentElement);
if (is_chrome) {