summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-07-12 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-07-12 00:00:00 +0000
commitdcfc78b0d175bee7b3b7e273282078d50bd4ca09 (patch)
treec5cc3a032ec1cdcc548bfdc8f0209c43bd14114d /content
parent0e002513d443ef7cddcc17acf178478844f609e9 (diff)
downloadbrowser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.tar.gz
browser-extension-dcfc78b0d175bee7b3b7e273282078d50bd4ca09.zip
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism.
Diffstat (limited to 'content')
-rw-r--r--content/main.js21
-rw-r--r--content/page_actions.js4
2 files changed, 18 insertions, 7 deletions
diff --git a/content/main.js b/content/main.js
index 9acf749..3204a8a 100644
--- a/content/main.js
+++ b/content/main.js
@@ -2,15 +2,18 @@
* Myext main content script run in all frames
*
* Copyright (C) 2021 Wojtek Kosior
+ * Copyright (C) 2021 jahoti
* Redistribution terms are gathered in the `copyright' file.
*/
/*
* IMPORTS_START
+ * IMPORT CONNECTION_TYPE
* IMPORT handle_page_actions
* IMPORT url_item
* IMPORT url_extract_target
* IMPORT gen_unique
+ * IMPORT gen_nonce
* IMPORT csp_rule
* IMPORT is_privileged_url
* IMPORT sanitize_attributes
@@ -113,7 +116,7 @@ function inject_csp(head)
let meta = document.createElement("meta");
meta.setAttribute("http-equiv", "Content-Security-Policy");
- meta.setAttribute("content", csp_rule(unique));
+ meta.setAttribute("content", csp_rule(nonce));
if (head.firstElementChild === null)
head.appendChild(meta);
@@ -123,13 +126,23 @@ function inject_csp(head)
if (!is_privileged_url(document.URL)) {
start_activity_info_server();
- handle_page_actions(unique);
+ var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
if (is_http()) {
- /* rely on CSP injected through webRequest */
+ /* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */
+ const nonce_capturer = msg => {
+ port.onMessage.removeListener(nonce_capturer);
+ handle_page_actions(msg[1], port);
+ };
+
+ port.onMessage.addListener(nonce_capturer);
+
} else if (is_whitelisted()) {
- /* do not block scripts at all */
+ /* do not block scripts at all; as a result, there is no need for a green-lighted nonce */
+ handle_page_actions(null, port);
} else {
+ nonce = gen_nonce();
+ handle_page_actions(nonce, port);
block_nodes_recursively(document.documentElement);
if (is_chrome) {
diff --git a/content/page_actions.js b/content/page_actions.js
index fd405fe..dff5f71 100644
--- a/content/page_actions.js
+++ b/content/page_actions.js
@@ -7,7 +7,6 @@
/*
* IMPORTS_START
- * IMPORT CONNECTION_TYPE
* IMPORT browser
* IMPORT report_script
* IMPORT report_settings
@@ -55,9 +54,8 @@ function add_script(script_text)
report_script(script_text);
}
-function handle_page_actions(script_nonce) {
+function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js
document.addEventListener("DOMContentLoaded", document_loaded);
- port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
port.onMessage.addListener(handle_message);
port.postMessage({url: document.URL});