summaryrefslogtreecommitdiff
path: root/content
AgeCommit message (Collapse)Author
2021-07-17Revamp signatures and break header caching on FFjahoti
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL. CSP headers are now _always_ cleared on FF, regardless of whether the page is whitelisted or not. This means whitelisting takes effect on page reload, rather than only when caching occurs. However, it obviously presents security issues; refinment will occur in a future commit.
2021-07-16Use URL-based policy smugglingjahoti
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there.
2021-07-12merge jahoti into masterWojtek Kosior
2021-07-12Stop using the nonce consistently for a URLjahoti
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism.
2021-07-11Remove redundant nonce-based filtering in the script suppressorjahoti
2021-07-06show some settings of the current page in the popupWojtek Kosior
2021-07-02move parsing of url with targets to misc.jsWojtek Kosior
2021-06-30refactor 3 miscellaneous fnctionalities to a their single own fileWojtek Kosior
2021-06-30emply an sh-based build system; make some changes to blockingWojtek Kosior
2021-06-28Index two new files intended for the previous commit.jahoti
2021-06-28License script-blocking techniques from NoScript in machine-readable format.jahoti
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete.
2021-06-25gather all copyright info in 'copyright' fileWojtek Kosior
2021-06-18when possible inject CSP as http(s) header using webRequest instead of ↵Wojtek Kosior
adding a <meta> tag
2021-06-14change licensesWojtek Kosior
2021-05-13utilize CSP for blockingWojtek Kosior
2021-05-12use unique hashes when smuggling whitelist settingWojtek Kosior
2021-05-12stop using js modulesWojtek Kosior
2021-05-10initial commitWojtek Kosior