diff options
Diffstat (limited to 'background/policy_injector.js')
-rw-r--r-- | background/policy_injector.js | 45 |
1 files changed, 32 insertions, 13 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js index 4f70aac..eb67963 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -21,33 +21,52 @@ var storage; var query_best; -let csp_header_names = { +const csp_header_names = { "content-security-policy" : true, "x-webkit-csp" : true, "x-content-security-policy" : true }; -function is_noncsp_header(header) +const header_name = "content-security-policy"; + +function is_csp_header(header) +{ + return !!csp_header_names[header.name.toLowerCase()]; +} + +function is_our_header(header, rule) { - return !csp_header_names[header.name.toLowerCase()]; + return header.value === rule } function inject(details) { - let url = url_item(details.url); + const url = url_item(details.url); + + const [pattern, settings] = query_best(url); + + const nonce = gen_unique(url); + const rule = csp_rule(nonce); - let [pattern, settings] = query_best(url); + var headers; - if (settings !== undefined && settings.allow) - return {cancel : false}; + if (settings !== undefined && settings.allow) { + /* + * Chrome doesn't have the buggy behavior of repeatedly injecting a + * header we injected once. Firefox does and we have to remove it there. + */ + if (is_chrome) + return {cancel: false}; - let nonce = gen_unique(url); - let headers = details.responseHeaders.filter(is_noncsp_header); + headers = details.responseHeaders.filter(h => !is_our_header(h, rule)); + } else { + headers = details.responseHeaders.filter(h => !is_csp_header(h)); - headers.push({ - name : "content-security-policy", - value : csp_rule(nonce) - }); + headers.push({ + name : header_name, + value : rule + }); + } return {responseHeaders: headers}; } |