From 25817b68c03b25c9b4fcaba2b96ab65f2edfd63c Mon Sep 17 00:00:00 2001 From: jahoti Date: Wed, 28 Jul 2021 00:00:00 +0000 Subject: Rationalize CSP violation report blocking. Report blocking now applies iff scripts are blocked. --- background/policy_injector.js | 76 +++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/background/policy_injector.js b/background/policy_injector.js index 386cf22..f573d48 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -83,13 +83,15 @@ function process_csp_header(header, rule, block) { const csp = parse_csp(header.value); - /* No snitching */ - delete csp['report-to']; - delete csp['report-uri']; if (block) { + /* No snitching */ + delete csp['report-to']; + delete csp['report-uri']; + delete csp['script-src']; delete csp['script-src-elem']; + csp['script-src-attr'] = ["'none'"]; csp['prefetch-src'] = ["'none'"]; } @@ -127,45 +129,41 @@ function headers_inject(details) for (const header of details.responseHeaders) { if (!csp_header_names.has(header)) { - /* Retain all non-snitching headers */ - if (header.name.toLowerCase() !== report_only) { - headers.push(header); - - /* If these are the original CSP headers, use them instead */ - /* Test based on url_extract_target() in misc.js */ - if (is_mozilla && header.name === "x-orig-csp") { - let index = header.value.indexOf('%5B'); - if (index === -1) - continue; - - let sig = header.value.substring(0, index); - let data = header.value.substring(index); - if (sig !== sign_policy(data, 0)) - continue; - - /* Confirmed- it's the originals, smuggled in! */ - try { - data = JSON.parse(decodeURIComponent(data)); - } catch (e) { - /* This should not be reached - - it's our self-produced valid JSON. */ - console.log("Unexpected internal error - invalid JSON smuggled!", e); - } - - orig_csp_headers = csp_headers = null; - for (const header of data) - headers.push(process_csp_header(header, rule, block)); + /* Remove headers that only snitch on us */ + if (header.name.toLowerCase() === report_only && block) + continue; + headers.push(header); + + /* If these are the original CSP headers, use them instead */ + /* Test based on url_extract_target() in misc.js */ + if (is_mozilla && header.name === "x-orig-csp") { + let index = header.value.indexOf('%5B'); + if (index === -1) + continue; + + let sig = header.value.substring(0, index); + let data = header.value.substring(index); + if (sig !== sign_policy(data, 0)) + continue; + + /* Confirmed- it's the originals, smuggled in! */ + try { + data = JSON.parse(decodeURIComponent(data)); + } catch (e) { + /* This should not be reached - + it's our self-produced valid JSON. */ + console.log("Unexpected internal error - invalid JSON smuggled!", e); } - } - continue; + orig_csp_headers = csp_headers = null; + for (const header of data) + headers.push(process_csp_header(header, rule, block)); + } + } else if (is_chrome || !orig_csp_headers) { + csp_headers.push(process_csp_header(header, rule, block)); + if (is_mozilla) + orig_csp_headers.push(header); } - if (is_mozilla && !orig_csp_headers) - continue; - - csp_headers.push(process_csp_header(header, rule, block)); - if (is_mozilla) - orig_csp_headers.push(header); } if (orig_csp_headers) { -- cgit v1.2.3