aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--background/policy_injector.js58
1 files changed, 27 insertions, 31 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index f58fb71..386cf22 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -26,27 +26,23 @@
var storage;
var query_best;
-const csp_header_names = {
- "content-security-policy" : true,
- "x-webkit-csp" : true,
- "x-content-security-policy" : true
-};
-
-const unwanted_csp_directives = {
- "report-to" : true,
- "report-uri" : true,
- "script-src" : true,
- "script-src-elem" : true,
- "prefetch-src": true
-};
+const csp_header_names = new Set([
+ "content-security-policy",
+ "x-webkit-csp",
+ "x-content-security-policy"
+]);
+
+/* TODO: variable no longer in use; remove if not needed */
+const unwanted_csp_directives = new Set([
+ "report-to",
+ "report-uri",
+ "script-src",
+ "script-src-elem",
+ "prefetch-src"
+]);
const report_only = "content-security-policy-report-only";
-function not_csp_header(header)
-{
- return !csp_header_names[header.name.toLowerCase()];
-}
-
function url_inject(details)
{
if (is_privileged_url(details.url))
@@ -86,18 +82,18 @@ function url_inject(details)
function process_csp_header(header, rule, block)
{
const csp = parse_csp(header.value);
-
+
/* No snitching */
delete csp['report-to'];
delete csp['report-uri'];
-
+
if (block) {
delete csp['script-src'];
delete csp['script-src-elem'];
csp['script-src-attr'] = ["'none'"];
csp['prefetch-src'] = ["'none'"];
}
-
+
if ('script-src' in csp)
csp['script-src'].push(rule);
else
@@ -107,12 +103,12 @@ function process_csp_header(header, rule, block)
csp['script-src-elem'].push(rule);
else
csp['script-src-elem'] = [rule];
-
+
const new_policy = Object.entries(csp).map(
- i => i[0] + ' ' + i[1].join(' ') + ';'
+ i => `${i[0]} ${i[1].join(' ')};`
);
-
- return {name: header.name, value: new_policy.join('')}
+
+ return {name: header.name, value: new_policy.join('')};
}
function headers_inject(details)
@@ -128,13 +124,13 @@ function headers_inject(details)
const rule = `'nonce-${targets.policy.nonce}'`;
const block = !targets.policy.allow;
-
- for (let header of details.responseHeaders) {
- if (not_csp_header(header)) {
+
+ for (const header of details.responseHeaders) {
+ if (!csp_header_names.has(header)) {
/* Retain all non-snitching headers */
if (header.name.toLowerCase() !== report_only) {
headers.push(header);
-
+
/* If these are the original CSP headers, use them instead */
/* Test based on url_extract_target() in misc.js */
if (is_mozilla && header.name === "x-orig-csp") {
@@ -157,7 +153,7 @@ function headers_inject(details)
}
orig_csp_headers = csp_headers = null;
- for (let header of data)
+ for (const header of data)
headers.push(process_csp_header(header, rule, block));
}
}
@@ -166,7 +162,7 @@ function headers_inject(details)
}
if (is_mozilla && !orig_csp_headers)
continue;
-
+
csp_headers.push(process_csp_header(header, rule, block));
if (is_mozilla)
orig_csp_headers.push(header);