diff options
author | Wojtek Kosior <koszko@koszko.org> | 2021-08-26 11:50:36 +0200 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2021-08-26 11:50:36 +0200 |
commit | 2875397fb887a5b09b5f39d6b3a75419a516dd07 (patch) | |
tree | 36773a9bb3a60c2cb271191b7aaf2f75db5a191a /content | |
parent | 6b53d6c840140fc5df6d7638808b978d96502a35 (diff) | |
download | browser-extension-2875397fb887a5b09b5f39d6b3a75419a516dd07.tar.gz browser-extension-2875397fb887a5b09b5f39d6b3a75419a516dd07.zip |
improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.
Diffstat (limited to 'content')
-rw-r--r-- | content/main.js | 33 |
1 files changed, 26 insertions, 7 deletions
diff --git a/content/main.js b/content/main.js index 4ae7738..984b3cb 100644 --- a/content/main.js +++ b/content/main.js @@ -32,17 +32,36 @@ function accept_node(node, parent) } if (!is_privileged_url(document.URL)) { - const reductor = - (ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig]; - const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)]; - let [policy, signature] = matches.reduce(reductor, []); + /* Signature valid for half an hour. */ + const min_time = new Date().getTime() - 1800 * 1000; + let best_result = {time: -1}; + let policy = null; + const extracted_signatures = []; + for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) { + const new_result = extract_signed(...match.slice(1, 3)); + if (new_result.fail) + continue; - if (!policy || policy.url !== document.URL) { - console.log("WARNING! Using default policy!!!"); + extracted_signatures.push(match[1]); + + if (new_result.time < Math.max(min_time, best_result.time)) + continue; + + /* This should succeed - it's our self-produced valid JSON. */ + const new_policy = JSON.parse(decodeURIComponent(new_result.data)); + if (new_policy.url !== document.URL) + continue; + + best_result = new_result; + policy = new_policy; + } + + if (!policy) { + console.warn("WARNING! Using default policy!!!"); policy = {allow: false, nonce: gen_nonce()}; } - if (signature) + for (const signature of extracted_signatures) document.cookie = `hachette-${signature}=; Max-Age=-1;`; handle_page_actions(policy.nonce); |