diff options
Diffstat (limited to 'common/misc.js')
-rw-r--r-- | common/misc.js | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/common/misc.js b/common/misc.js index 0d8466e..3c7dc46 100644 --- a/common/misc.js +++ b/common/misc.js @@ -12,6 +12,7 @@ * IMPORT browser * IMPORT is_chrome * IMPORT TYPE_NAME + * IMPORT TYPE_PREFIX * IMPORTS_END */ @@ -173,6 +174,52 @@ function parse_csp(csp) { return directives; } +/* Make CSP headers do our bidding, not interfere */ +function sanitize_csp_header(header, rule, block) +{ + const csp = parse_csp(header.value); + + if (block) { + /* No snitching */ + delete csp['report-to']; + delete csp['report-uri']; + + delete csp['script-src']; + delete csp['script-src-elem']; + + csp['script-src-attr'] = ["'none'"]; + csp['prefetch-src'] = ["'none'"]; + } + + if ('script-src' in csp) + csp['script-src'].push(rule); + else + csp['script-src'] = [rule]; + + if ('script-src-elem' in csp) + csp['script-src-elem'].push(rule); + else + csp['script-src-elem'] = [rule]; + + const new_policy = Object.entries(csp).map( + i => `${i[0]} ${i[1].join(' ')};` + ); + + return {name: header.name, value: new_policy.join('')}; +} + +/* Regexes and objest to use as/in schemas for parse_json_with_schema(). */ +const nonempty_string_matcher = /.+/; + +const matchers = { + sha256: /^[0-9a-f]{64}$/, + nonempty_string: nonempty_string_matcher, + component: [ + new RegExp(`^[${TYPE_PREFIX.SCRIPT}${TYPE_PREFIX.BAG}]$`), + nonempty_string_matcher + ] +}; + /* * EXPORTS_START * EXPORT gen_nonce @@ -184,6 +231,7 @@ function parse_csp(csp) { * EXPORT nice_name * EXPORT open_in_settings * EXPORT is_privileged_url - * EXPORT parse_csp + * EXPORT sanitize_csp_header + * EXPORT matchers * EXPORTS_END */ |