1 files changed, 12 insertions, 11 deletions

diff --git a/common/signing.js b/common/signing.js
index 2171714..11cd442 100644
--- a/common/signing.js
+++ b/common/signing.js
@@ -1,6 +1,7 @@
 /**
- * part of Hachette
- * Functions related to "signing" of data, refactored to a separate file.
+ * This file is part of Haketilo.
+ *
+ * Functions: Operations related to "signing" of data.
  *
  * Copyright (C) 2021 Wojtek Kosior
  * Redistribution terms are gathered in the `copyright' file.
@@ -10,13 +11,13 @@
  * IMPORTS_START
  * IMPORT sha256
  * IMPORT browser
- * IMPORT is_chrome
+ * IMPORT is_mozilla
  * IMPORTS_END
  */
 
 /*
  * In order to make certain data synchronously accessible in certain contexts,
- * hachette smuggles it in string form in places like cookies, URLs and headers.
+ * Haketilo smuggles it in string form in places like cookies, URLs and headers.
  * When using the smuggled data, we first need to make sure it isn't spoofed.
  * For that, we use this pseudo-signing mechanism.
  *
@@ -30,18 +31,18 @@
  *
  * The secret shared between execution contexts has to be available
  * synchronously. Under Mozilla, this is the extension's per-session id. Under
- * Chromium, this is the key that resides in the manifest.
- *
- * An idea to (under Chromium) instead store the secret in a file fetched
- * synchronously using XMLHttpRequest is being considered.
+ * Chromium, this is a dummy web-accessible-resource name that resides in the
+ * manifest and is supposed to be constructed by each user using a unique value
+ * (this is done automatically by `build.sh').
  */
 
 function get_secret()
 {
-    if (is_chrome)
-	return browser.runtime.getManifest().key.substring(0, 50);
-    else
+    if (is_mozilla)
 	return browser.runtime.getURL("dummy");
+
+    return chrome.runtime.getManifest().web_accessible_resources
+	.map(r => /^chromium-key-dummy-file-(.*)/.exec(r)).filter(r => r)[0][1];
 }
 
 function extract_signed(signature, signed_data)