diff options
| author | jahoti <jahoti@tilde.team> | 2021-07-16 00:00:00 +0000 |
|---|---|---|
| committer | jahoti <jahoti@tilde.team> | 2021-07-16 00:00:00 +0000 |
| commit | 692577bbde5e8110855c022ec913324dfddce9ae (patch) | |
| tree | 6cc013453cdac80fd427c63994f2f7cc019d9c42 /content | |
| parent | 0e002513d443ef7cddcc17acf178478844f609e9 (diff) | |
| download | browser-extension-692577bbde5e8110855c022ec913324dfddce9ae.tar.gz browser-extension-692577bbde5e8110855c022ec913324dfddce9ae.zip | |
Use URL-based policy smuggling
Increase the power of URL-based smuggling by making it (effectively)
compulsory in all cases and adapting a <salt><unique value><JSON-encoded
settings> structure. While the details still need to be worked out, the
potential for future expansion is there.
Diffstat (limited to 'content')
| -rw-r--r-- | content/main.js | 49 |
1 files changed, 16 insertions, 33 deletions
diff --git a/content/main.js b/content/main.js index 9acf749..e75f61d 100644 --- a/content/main.js +++ b/content/main.js @@ -2,6 +2,7 @@ * Myext main content script run in all frames * * Copyright (C) 2021 Wojtek Kosior + * Copyright (C) 2021 jahoti * Redistribution terms are gathered in the `copyright' file. */ @@ -10,7 +11,9 @@ * IMPORT handle_page_actions * IMPORT url_item * IMPORT url_extract_target + * IMPORT url_extract_policy * IMPORT gen_unique + * IMPORT gen_nonce * IMPORT csp_rule * IMPORT is_privileged_url * IMPORT sanitize_attributes @@ -32,32 +35,6 @@ * urls has not yet been added to the extension. */ -let url = url_item(document.URL); -let unique = gen_unique(url); - - -function is_http() -{ - return !!/^https?:\/\//i.exec(document.URL); -} - -function is_whitelisted() -{ - const parsed_url = url_extract_target(document.URL); - - if (parsed_url.target !== undefined && - parsed_url.target === '#' + unique) { - if (parsed_url.target2 !== undefined) - window.location.href = parsed_url.base_url + parsed_url.target2; - else - history.replaceState(null, "", parsed_url.base_url); - - return true; - } - - return false; -} - function handle_mutation(mutations, observer) { if (document.readyState === 'complete') { @@ -113,7 +90,7 @@ function inject_csp(head) let meta = document.createElement("meta"); meta.setAttribute("http-equiv", "Content-Security-Policy"); - meta.setAttribute("content", csp_rule(unique)); + meta.setAttribute("content", csp_rule(nonce)); if (head.firstElementChild === null) head.appendChild(meta); @@ -122,14 +99,20 @@ function inject_csp(head) } if (!is_privileged_url(document.URL)) { + const targets = url_extract_policy(document.URL); + targets.policy = targets.policy || {}; + const nonce = targets.policy.nonce || gen_nonce(); + + if (targets.signed) + if (targets.target2 !== undefined) + window.location.href = targets.base_url + targets.target2; + else + history.replaceState(null, "", targets.base_url); + start_activity_info_server(); - handle_page_actions(unique); + handle_page_actions(nonce); - if (is_http()) { - /* rely on CSP injected through webRequest */ - } else if (is_whitelisted()) { - /* do not block scripts at all */ - } else { + if (!targets.policy.allow) { block_nodes_recursively(document.documentElement); if (is_chrome) { |