aboutsummaryrefslogtreecommitdiff
path: root/background
diff options
context:
space:
mode:
Diffstat (limited to 'background')
-rw-r--r--background/policy_injector.js29
1 files changed, 13 insertions, 16 deletions
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 9e8ed61..8a767fb 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -12,6 +12,7 @@
* IMPORT get_storage
* IMPORT browser
* IMPORT is_chrome
+ * IMPORT is_mozilla
* IMPORT gen_unique
* IMPORT gen_nonce
* IMPORT url_item
@@ -45,23 +46,24 @@ function is_our_header(header, rule)
function url_inject(details)
{
const targets = url_extract_policy(details.url);
- if (targets.policy) {
+ if (targets.valid_sig) {
return;
- } else if (targets.signed) {
+ } else if (targets.policy) {
/* Redirect; update policy */
targets.target = targets.target2;
delete targets.target2
}
- let redirect_url = targets.base_url + targets.sig;
let [pattern, settings] = query_best(targets.base_url);
if (!pattern)
/* Defaults */
settings = {};
const policy = {allow: settings.allow, nonce: gen_nonce()};
+ const policy_string = encodeURIComponent(JSON.stringify(policy));
+ const sig = gen_unique(policy_string + targets.base_url);
- redirect_url += encodeURIComponent(JSON.stringify(policy));
+ let redirect_url = targets.base_url + '#' + sig + policy_string;
if (targets.target)
redirect_url += targets.target;
if (targets.target2)
@@ -73,31 +75,26 @@ function url_inject(details)
function inject(details)
{
const targets = url_extract_policy(details.url);
- if (!targets.policy)
+ if (!targets.valid_sig)
/* Block unsigned requests */
return {cancel: true};
const rule = csp_rule(targets.policy.nonce);
- var headers;
+ var headers = details.responseHeaders;
- if (targets.policy.allow) {
+ if (!targets.policy.allow || is_mozilla)
/*
- * Chrome doesn't have the buggy behavior of repeatedly injecting a
- * header we injected once. Firefox does and we have to remove it there.
+ * Chrome doesn't have the buggy behavior of caching headers
+ * we injected. Firefox does and we have to remove it there.
*/
- if (is_chrome)
- return {cancel: false};
-
- headers = details.responseHeaders.filter(h => !is_our_header(h, rule));
- } else {
- headers = details.responseHeaders.filter(h => !is_csp_header(h));
+ headers = headers.filter(h => !is_csp_header(h));
+ if (!targets.policy.allow)
headers.push({
name : header_name,
value : rule
});
- }
return {responseHeaders: headers};
}