summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-06-18 11:45:01 +0200
committerWojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>2021-06-18 11:45:01 +0200
commit7ee7889ae8f1473474254553ec3b3469fb0a935b (patch)
tree153fe596bc65600e21d856f97231f8195f79b9ec /content
parent6bae771df7b238f8ef4e992660e911fb5808299c (diff)
downloadbrowser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.tar.gz
browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.zip
when possible inject CSP as http(s) header using webRequest instead of adding a <meta> tag
Diffstat (limited to 'content')
-rw-r--r--content/main.js54
1 files changed, 35 insertions, 19 deletions
diff --git a/content/main.js b/content/main.js
index 23f7f66..eb5d0ac 100644
--- a/content/main.js
+++ b/content/main.js
@@ -30,29 +30,45 @@
const url_item = window.url_item;
const gen_unique = window.gen_unique;
- var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;
- var match = url_re.exec(document.URL);
- var base_url = match[1];
- var first_target = match[3];
- var second_target = match[4];
+ /*
+ * Due to some technical limitations the chosen method of whitelisting sites
+ * is to smuggle whitelist indicator in page's url as a "magical" string
+ * after '#'. Right now this is not needed in HTTP(s) pages where native
+ * script blocking happens through CSP header injection but is needed for
+ * protocols like ftp:// and file://.
+ *
+ * The code that actually injects the magical string into ftp:// and file://
+ * urls has not yet been added to the extension.
+ */
- // TODO: can be refactored *a little bit* with policy_smuggler.js
let url = url_item(document.URL);
let unique = gen_unique(url);
-
let nonce = unique.substring(1);
- var block = true;
- if (first_target !== undefined &&
- first_target === unique) {
- block = false;
- console.log(["allowing", document.URL]);
- if (second_target !== undefined)
- window.location.href = base_url + second_target;
- else
- history.replaceState(null, "", base_url);
- } else {
- console.log(["not allowing", document.URL]);
+ function needs_blocking()
+ {
+ if (url.startsWith("https://") || url.startsWith("http://"))
+ return false;
+
+ let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;
+ let match = url_re.exec(document.URL);
+ let base_url = match[1];
+ let first_target = match[3];
+ let second_target = match[4];
+
+ if (first_target !== undefined &&
+ first_target === unique) {
+ if (second_target !== undefined)
+ window.location.href = base_url + second_target;
+ else
+ history.replaceState(null, "", base_url);
+
+ console.log(["allowing whitelisted", document.URL]);
+ return false;
+ }
+
+ console.log(["disallowing", document.URL]);
+ return true;
}
function handle_mutation(mutations, observer)
@@ -129,7 +145,7 @@ script-src-elem 'nonce-${nonce}';\
}
}
- if (block) {
+ if (needs_blocking()) {
var observer = new MutationObserver(handle_mutation);
observer.observe(document.documentElement, {
attributes: true,