diff options
-rw-r--r-- | background/policy_injector.js | 58 |
1 files changed, 27 insertions, 31 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js index f58fb71..386cf22 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -26,27 +26,23 @@ var storage; var query_best; -const csp_header_names = { - "content-security-policy" : true, - "x-webkit-csp" : true, - "x-content-security-policy" : true -}; - -const unwanted_csp_directives = { - "report-to" : true, - "report-uri" : true, - "script-src" : true, - "script-src-elem" : true, - "prefetch-src": true -}; +const csp_header_names = new Set([ + "content-security-policy", + "x-webkit-csp", + "x-content-security-policy" +]); + +/* TODO: variable no longer in use; remove if not needed */ +const unwanted_csp_directives = new Set([ + "report-to", + "report-uri", + "script-src", + "script-src-elem", + "prefetch-src" +]); const report_only = "content-security-policy-report-only"; -function not_csp_header(header) -{ - return !csp_header_names[header.name.toLowerCase()]; -} - function url_inject(details) { if (is_privileged_url(details.url)) @@ -86,18 +82,18 @@ function url_inject(details) function process_csp_header(header, rule, block) { const csp = parse_csp(header.value); - + /* No snitching */ delete csp['report-to']; delete csp['report-uri']; - + if (block) { delete csp['script-src']; delete csp['script-src-elem']; csp['script-src-attr'] = ["'none'"]; csp['prefetch-src'] = ["'none'"]; } - + if ('script-src' in csp) csp['script-src'].push(rule); else @@ -107,12 +103,12 @@ function process_csp_header(header, rule, block) csp['script-src-elem'].push(rule); else csp['script-src-elem'] = [rule]; - + const new_policy = Object.entries(csp).map( - i => i[0] + ' ' + i[1].join(' ') + ';' + i => `${i[0]} ${i[1].join(' ')};` ); - - return {name: header.name, value: new_policy.join('')} + + return {name: header.name, value: new_policy.join('')}; } function headers_inject(details) @@ -128,13 +124,13 @@ function headers_inject(details) const rule = `'nonce-${targets.policy.nonce}'`; const block = !targets.policy.allow; - - for (let header of details.responseHeaders) { - if (not_csp_header(header)) { + + for (const header of details.responseHeaders) { + if (!csp_header_names.has(header)) { /* Retain all non-snitching headers */ if (header.name.toLowerCase() !== report_only) { headers.push(header); - + /* If these are the original CSP headers, use them instead */ /* Test based on url_extract_target() in misc.js */ if (is_mozilla && header.name === "x-orig-csp") { @@ -157,7 +153,7 @@ function headers_inject(details) } orig_csp_headers = csp_headers = null; - for (let header of data) + for (const header of data) headers.push(process_csp_header(header, rule, block)); } } @@ -166,7 +162,7 @@ function headers_inject(details) } if (is_mozilla && !orig_csp_headers) continue; - + csp_headers.push(process_csp_header(header, rule, block)); if (is_mozilla) orig_csp_headers.push(header); |