aboutsummaryrefslogtreecommitdiff
path: root/background/policy_injector.js
AgeCommit message (Collapse)Author
2021-11-20replace cookies with synchronous XmlHttpRequest as policy smuggling method.Wojtek Kosior
Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.
2021-09-13rename the extension to "Haketilo"Wojtek Kosior
2021-09-09simplify CSP handlingWojtek Kosior
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
2021-08-26improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 ↵Wojtek Kosior
implementation is no longer pulled in contexts that don't require it.
2021-08-23use StreamFilter under Mozilla to prevent csp <meta> tags from blocking our ↵Wojtek Kosior
injected scripts
2021-08-20sanitize `<meta>' tags containing CSP rules under ChromiumWojtek Kosior
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
2021-08-18remove unneeded policy-related cosole messages; restore IceCat 60 compatibilityWojtek Kosior
2021-08-18implement smuggling via cookies instead of URLWojtek Kosior
2021-08-14merge facility to install from HydrillaWojtek Kosior
2021-08-04make settings_query.js use storage object passed as an argumentWojtek Kosior
2021-08-02[UNTESTED- will test] Add filtering for http-equiv CSP headersjahoti
2021-07-28Rationalize CSP violation report blocking.jahoti
Report blocking now applies iff scripts are blocked.
2021-07-26code maintenanceWojtek Kosior
2021-07-26Squash more CSP-filtering bugsjahoti
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp header to prevent re-processing issues with caching. Additionally, a default header is added for non-whitelisted domains in case there are no existing headers we can attach to.
2021-07-26Fix some bugs in the refined CSP handlingjahoti
2021-07-26[UNTESTED- will test] Use more nuanced CSP filteringjahoti
CSP headers are now parsed and processed, rather than treated as simple units. This allows us to ensure policies delivered as HTTP headers do not interfere with our script filtering, as well as to preserve useful protections while removing the ones that could be problematic. Additionally, prefetching should now be blocked on pages where native scripts aren't allowed, and all reporting of CSP violations has been stripped (is this appropriate?).
2021-07-26Remove unnecessary imports of url_item and add a CSP header-parsing functionjahoti
The parsing function isn't used yet; however, it will eventually be as a less destructive alternative to handling headers as indivisible units.
2021-07-20Merge rebranding to "Hachette"Wojtek Kosior
2021-07-20Merge commit 'ecb787046271de708b94da70240713e725299d86'Wojtek Kosior
2021-07-19Refer to the extension consistently as "Hachette" and remove TODOS.orgjahoti
from the copyright file
2021-07-18Streamline and harden unique values/settingsjahoti
The base URL is now included in the settings. The unique value no longer uses it directly, as it is included by virtue of the settings; however, the number of full hours since the epoch (UTC) is now incorporated.
2021-07-17Revamp signatures and break header caching on FFjahoti
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL. CSP headers are now _always_ cleared on FF, regardless of whether the page is whitelisted or not. This means whitelisting takes effect on page reload, rather than only when caching occurs. However, it obviously presents security issues; refinment will occur in a future commit.
2021-07-16Use URL-based policy smugglingjahoti
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there.
2021-07-12Stop using the nonce consistently for a URLjahoti
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism.
2021-06-30fix whitelisting under FirefoxWojtek Kosior
2021-06-30refactor 3 miscellaneous fnctionalities to a their single own fileWojtek Kosior
2021-06-30emply an sh-based build system; make some changes to blockingWojtek Kosior
2021-06-25gather all copyright info in 'copyright' fileWojtek Kosior
2021-06-18when possible inject CSP as http(s) header using webRequest instead of ↵Wojtek Kosior
adding a <meta> tag