1 files changed, 13 insertions, 16 deletions

diff --git a/background/policy_injector.js b/background/policy_injector.js
index 9e8ed61..8a767fb 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -12,6 +12,7 @@
  * IMPORT get_storage
  * IMPORT browser
  * IMPORT is_chrome
+ * IMPORT is_mozilla
  * IMPORT gen_unique
  * IMPORT gen_nonce
  * IMPORT url_item
@@ -45,23 +46,24 @@ function is_our_header(header, rule)
 function url_inject(details)
 {
     const targets = url_extract_policy(details.url);
-    if (targets.policy) {
+    if (targets.valid_sig) {
 	return;
-    } else if (targets.signed) {
+    } else if (targets.policy) {
 	/* Redirect; update policy */
 	targets.target = targets.target2;
 	delete targets.target2
     }
 
-    let redirect_url = targets.base_url + targets.sig;
     let [pattern, settings] = query_best(targets.base_url);
     if (!pattern)
 	/* Defaults */
 	settings = {};
     
     const policy = {allow: settings.allow, nonce: gen_nonce()};
+    const policy_string = encodeURIComponent(JSON.stringify(policy));
+    const sig = gen_unique(policy_string + targets.base_url);
     
-    redirect_url += encodeURIComponent(JSON.stringify(policy));
+    let redirect_url = targets.base_url + '#' + sig + policy_string;
     if (targets.target)
 	redirect_url += targets.target;
     if (targets.target2)
@@ -73,31 +75,26 @@ function url_inject(details)
 function inject(details)
 {
     const targets = url_extract_policy(details.url);
-    if (!targets.policy)
+    if (!targets.valid_sig)
 	/* Block unsigned requests */
 	return {cancel: true};
 
     const rule = csp_rule(targets.policy.nonce);
 
-    var headers;
+    var headers = details.responseHeaders;
 
-    if (targets.policy.allow) {
+    if (!targets.policy.allow || is_mozilla)
 	/*
-	 * Chrome doesn't have the buggy behavior of repeatedly injecting a
-	 * header we injected once. Firefox does and we have to remove it there.
+	 * Chrome doesn't have the buggy behavior of caching headers
+	 * we injected. Firefox does and we have to remove it there.
 	 */
-	if (is_chrome)
-	    return {cancel: false};
-
-	headers = details.responseHeaders.filter(h => !is_our_header(h, rule));
-    } else {
-	headers = details.responseHeaders.filter(h => !is_csp_header(h));
+	headers = headers.filter(h => !is_csp_header(h));
 
+    if (!targets.policy.allow)
 	headers.push({
 	    name : header_name,
 	    value : rule
 	});
-    }
 
     return {responseHeaders: headers};
 }