Stop using the nonce consistently for a URL

Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores them by tab and frame IDs. In order to
support the increased variance in nonce-generating methods and allow them to
be loaded from the background, handle_page_actions is now invoked separately
according to (non-)blocking mechanism.

2 files changed, 18 insertions, 7 deletions

diff --git a/content/main.js b/content/main.js
index 9acf749..3204a8a 100644
--- a/content/main.js
+++ b/content/main.js
@@ -2,15 +2,18 @@
  * Myext main content script run in all frames
  *
  * Copyright (C) 2021 Wojtek Kosior
+ * Copyright (C) 2021 jahoti
  * Redistribution terms are gathered in the `copyright' file.
  */
 
 /*
  * IMPORTS_START
+ * IMPORT CONNECTION_TYPE
  * IMPORT handle_page_actions
  * IMPORT url_item
  * IMPORT url_extract_target
  * IMPORT gen_unique
+ * IMPORT gen_nonce
  * IMPORT csp_rule
  * IMPORT is_privileged_url
  * IMPORT sanitize_attributes
@@ -113,7 +116,7 @@ function inject_csp(head)
 
     let meta = document.createElement("meta");
     meta.setAttribute("http-equiv", "Content-Security-Policy");
-    meta.setAttribute("content", csp_rule(unique));
+    meta.setAttribute("content", csp_rule(nonce));
 
     if (head.firstElementChild === null)
 	head.appendChild(meta);
@@ -123,13 +126,23 @@ function inject_csp(head)
 
 if (!is_privileged_url(document.URL)) {
     start_activity_info_server();
-    handle_page_actions(unique);
+    var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
 
     if (is_http()) {
-	/* rely on CSP injected through webRequest */
+	/* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */
+	const nonce_capturer = msg => {
+	    port.onMessage.removeListener(nonce_capturer);
+	    handle_page_actions(msg[1], port);
+	};
+	
+	port.onMessage.addListener(nonce_capturer);
+	
     } else if (is_whitelisted()) {
-	/* do not block scripts at all */
+	/* do not block scripts at all; as a result, there is no need for a green-lighted nonce */
+	handle_page_actions(null, port);
     } else {
+	nonce = gen_nonce();
+	handle_page_actions(nonce, port);
 	block_nodes_recursively(document.documentElement);
 
 	if (is_chrome) {
diff --git a/content/page_actions.js b/content/page_actions.js
index fd405fe..dff5f71 100644
--- a/content/page_actions.js
+++ b/content/page_actions.js
@@ -7,7 +7,6 @@
 
 /*
  * IMPORTS_START
- * IMPORT CONNECTION_TYPE
  * IMPORT browser
  * IMPORT report_script
  * IMPORT report_settings
@@ -55,9 +54,8 @@ function add_script(script_text)
     report_script(script_text);
 }
 
-function handle_page_actions(script_nonce) {
+function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js
     document.addEventListener("DOMContentLoaded", document_loaded);
-    port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
     port.onMessage.addListener(handle_message);
     port.postMessage({url: document.URL});