diff options
Diffstat (limited to 'common')
-rw-r--r-- | common/misc.js | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/common/misc.js b/common/misc.js index 0d8466e..d046b65 100644 --- a/common/misc.js +++ b/common/misc.js @@ -173,6 +173,40 @@ function parse_csp(csp) { return directives; } +/* Make CSP headers do our bidding, not interfere */ +function sanitize_csp_header(header, rule, block) +{ + const csp = parse_csp(header.value); + + if (block) { + /* No snitching */ + delete csp['report-to']; + delete csp['report-uri']; + + delete csp['script-src']; + delete csp['script-src-elem']; + + csp['script-src-attr'] = ["'none'"]; + csp['prefetch-src'] = ["'none'"]; + } + + if ('script-src' in csp) + csp['script-src'].push(rule); + else + csp['script-src'] = [rule]; + + if ('script-src-elem' in csp) + csp['script-src-elem'].push(rule); + else + csp['script-src-elem'] = [rule]; + + const new_policy = Object.entries(csp).map( + i => `${i[0]} ${i[1].join(' ')};` + ); + + return {name: header.name, value: new_policy.join('')}; +} + /* * EXPORTS_START * EXPORT gen_nonce @@ -184,6 +218,6 @@ function parse_csp(csp) { * EXPORT nice_name * EXPORT open_in_settings * EXPORT is_privileged_url - * EXPORT parse_csp + * EXPORT sanitize_csp_header * EXPORTS_END */ |