improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.

1 files changed, 26 insertions, 7 deletions

diff --git a/content/main.js b/content/main.js
index 4ae7738..984b3cb 100644
--- a/content/main.js
+++ b/content/main.js
@@ -32,17 +32,36 @@ function accept_node(node, parent)
 }
 
 if (!is_privileged_url(document.URL)) {
-    const reductor =
-	  (ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig];
-    const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)];
-    let [policy, signature] = matches.reduce(reductor, []);
+    /* Signature valid for half an hour. */
+    const min_time = new Date().getTime() - 1800 * 1000;
+    let best_result = {time: -1};
+    let policy = null;
+    const extracted_signatures = [];
+    for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) {
+	const new_result = extract_signed(...match.slice(1, 3));
+	if (new_result.fail)
+	    continue;
 
-    if (!policy || policy.url !== document.URL) {
-	console.log("WARNING! Using default policy!!!");
+	extracted_signatures.push(match[1]);
+
+	if (new_result.time < Math.max(min_time, best_result.time))
+	    continue;
+
+	/* This should succeed - it's our self-produced valid JSON. */
+	const new_policy = JSON.parse(decodeURIComponent(new_result.data));
+	if (new_policy.url !== document.URL)
+	    continue;
+
+	best_result = new_result;
+	policy = new_policy;
+    }
+
+    if (!policy) {
+	console.warn("WARNING! Using default policy!!!");
 	policy = {allow: false, nonce: gen_nonce()};
     }
 
-    if (signature)
+    for (const signature of extracted_signatures)
 	document.cookie = `hachette-${signature}=; Max-Age=-1;`;
 
     handle_page_actions(policy.nonce);