diff options
author | Wojtek Kosior <wk@koszkonutek-tmp.pl.eu.org> | 2021-06-18 11:45:01 +0200 |
---|---|---|
committer | Wojtek Kosior <wk@koszkonutek-tmp.pl.eu.org> | 2021-06-18 11:45:01 +0200 |
commit | 7ee7889ae8f1473474254553ec3b3469fb0a935b (patch) | |
tree | 153fe596bc65600e21d856f97231f8195f79b9ec /content | |
parent | 6bae771df7b238f8ef4e992660e911fb5808299c (diff) | |
download | browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.tar.gz browser-extension-7ee7889ae8f1473474254553ec3b3469fb0a935b.zip |
when possible inject CSP as http(s) header using webRequest instead of adding a <meta> tag
Diffstat (limited to 'content')
-rw-r--r-- | content/main.js | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/content/main.js b/content/main.js index 23f7f66..eb5d0ac 100644 --- a/content/main.js +++ b/content/main.js @@ -30,29 +30,45 @@ const url_item = window.url_item; const gen_unique = window.gen_unique; - var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/; - var match = url_re.exec(document.URL); - var base_url = match[1]; - var first_target = match[3]; - var second_target = match[4]; + /* + * Due to some technical limitations the chosen method of whitelisting sites + * is to smuggle whitelist indicator in page's url as a "magical" string + * after '#'. Right now this is not needed in HTTP(s) pages where native + * script blocking happens through CSP header injection but is needed for + * protocols like ftp:// and file://. + * + * The code that actually injects the magical string into ftp:// and file:// + * urls has not yet been added to the extension. + */ - // TODO: can be refactored *a little bit* with policy_smuggler.js let url = url_item(document.URL); let unique = gen_unique(url); - let nonce = unique.substring(1); - var block = true; - if (first_target !== undefined && - first_target === unique) { - block = false; - console.log(["allowing", document.URL]); - if (second_target !== undefined) - window.location.href = base_url + second_target; - else - history.replaceState(null, "", base_url); - } else { - console.log(["not allowing", document.URL]); + function needs_blocking() + { + if (url.startsWith("https://") || url.startsWith("http://")) + return false; + + let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/; + let match = url_re.exec(document.URL); + let base_url = match[1]; + let first_target = match[3]; + let second_target = match[4]; + + if (first_target !== undefined && + first_target === unique) { + if (second_target !== undefined) + window.location.href = base_url + second_target; + else + history.replaceState(null, "", base_url); + + console.log(["allowing whitelisted", document.URL]); + return false; + } + + console.log(["disallowing", document.URL]); + return true; } function handle_mutation(mutations, observer) @@ -129,7 +145,7 @@ script-src-elem 'nonce-${nonce}';\ } } - if (block) { + if (needs_blocking()) { var observer = new MutationObserver(handle_mutation); observer.observe(document.documentElement, { attributes: true, |