From 5b419aedd564e6506aa2fc8bddcaa5d601888f17 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 2 Aug 2021 00:00:00 +0000 Subject: [UNTESTED- will test] Add filtering for http-equiv CSP headers --- background/policy_injector.js | 40 +++------------------------------------- common/misc.js | 36 +++++++++++++++++++++++++++++++++++- content/main.js | 27 +++++++++++++++++++-------- 3 files changed, 57 insertions(+), 46 deletions(-) diff --git a/background/policy_injector.js b/background/policy_injector.js index f573d48..80a0e3b 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -19,7 +19,7 @@ * IMPORT url_extract_target * IMPORT sign_policy * IMPORT get_query_best - * IMPORT parse_csp + * IMPORT sanitize_csp_header * IMPORTS_END */ @@ -79,40 +79,6 @@ function url_inject(details) }; } -function process_csp_header(header, rule, block) -{ - const csp = parse_csp(header.value); - - - if (block) { - /* No snitching */ - delete csp['report-to']; - delete csp['report-uri']; - - delete csp['script-src']; - delete csp['script-src-elem']; - - csp['script-src-attr'] = ["'none'"]; - csp['prefetch-src'] = ["'none'"]; - } - - if ('script-src' in csp) - csp['script-src'].push(rule); - else - csp['script-src'] = [rule]; - - if ('script-src-elem' in csp) - csp['script-src-elem'].push(rule); - else - csp['script-src-elem'] = [rule]; - - const new_policy = Object.entries(csp).map( - i => `${i[0]} ${i[1].join(' ')};` - ); - - return {name: header.name, value: new_policy.join('')}; -} - function headers_inject(details) { const targets = url_extract_target(details.url); @@ -157,10 +123,10 @@ function headers_inject(details) orig_csp_headers = csp_headers = null; for (const header of data) - headers.push(process_csp_header(header, rule, block)); + headers.push(sanitize_csp_header(header, rule, block)); } } else if (is_chrome || !orig_csp_headers) { - csp_headers.push(process_csp_header(header, rule, block)); + csp_headers.push(sanitize_csp_header(header, rule, block)); if (is_mozilla) orig_csp_headers.push(header); } diff --git a/common/misc.js b/common/misc.js index 0d8466e..d046b65 100644 --- a/common/misc.js +++ b/common/misc.js @@ -173,6 +173,40 @@ function parse_csp(csp) { return directives; } +/* Make CSP headers do our bidding, not interfere */ +function sanitize_csp_header(header, rule, block) +{ + const csp = parse_csp(header.value); + + if (block) { + /* No snitching */ + delete csp['report-to']; + delete csp['report-uri']; + + delete csp['script-src']; + delete csp['script-src-elem']; + + csp['script-src-attr'] = ["'none'"]; + csp['prefetch-src'] = ["'none'"]; + } + + if ('script-src' in csp) + csp['script-src'].push(rule); + else + csp['script-src'] = [rule]; + + if ('script-src-elem' in csp) + csp['script-src-elem'].push(rule); + else + csp['script-src-elem'] = [rule]; + + const new_policy = Object.entries(csp).map( + i => `${i[0]} ${i[1].join(' ')};` + ); + + return {name: header.name, value: new_policy.join('')}; +} + /* * EXPORTS_START * EXPORT gen_nonce @@ -184,6 +218,6 @@ function parse_csp(csp) { * EXPORT nice_name * EXPORT open_in_settings * EXPORT is_privileged_url - * EXPORT parse_csp + * EXPORT sanitize_csp_header * EXPORTS_END */ diff --git a/content/main.js b/content/main.js index 9ed557c..5edb8a6 100644 --- a/content/main.js +++ b/content/main.js @@ -19,6 +19,7 @@ * IMPORT is_chrome * IMPORT is_mozilla * IMPORT start_activity_info_server + * IMPORT sanitize_csp_header * IMPORTS_END */ @@ -65,6 +66,17 @@ function block_node(node) block_script(node); return; } + + else if (node.tagName === 'META' && + node.getAttribute('http-equiv') === 'content-security-policy') { + + node.content = sanitize_csp_header( + {value: node.content}, + `'nonce-${nonce}'`, + !policy.allow + ).value; + return; + } sanitize_attributes(node); @@ -114,14 +126,13 @@ if (!is_privileged_url(document.URL)) { if (!policy.allow) { block_nodes_recursively(document.documentElement); - if (is_chrome) { - var observer = new MutationObserver(handle_mutation); - observer.observe(document.documentElement, { - attributes: true, - childList: true, - subtree: true - }); - } + /* Now needed on Mozilla as well to sanitize CSP header */ + var observer = new MutationObserver(handle_mutation); + observer.observe(document.documentElement, { + attributes: true, + childList: true, + subtree: true + }); if (is_mozilla) addEventListener('beforescriptexecute', mozilla_suppress_scripts, true); -- cgit v1.2.3