From 6b53d6c840140fc5df6d7638808b978d96502a35 Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Mon, 23 Aug 2021 11:05:51 +0200
Subject: use StreamFilter under Mozilla to prevent csp <meta> tags from
 blocking our injected scripts

---
 background/main.js | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 56 insertions(+), 4 deletions(-)

(limited to 'background/main.js')

diff --git a/background/main.js b/background/main.js
index 7c50fd5..85f8ce8 100644
--- a/background/main.js
+++ b/background/main.js
@@ -11,18 +11,21 @@
  * IMPORT get_storage
  * IMPORT start_storage_server
  * IMPORT start_page_actions_server
- * IMPORT start_policy_injector
  * IMPORT browser
+ * IMPORT is_privileged_url
+ * IMPORT query_best
+ * IMPORT gen_nonce
+ * IMPORT inject_csp_headers
+ * IMPORT apply_stream_filter
+ * IMPORT is_chrome
  * IMPORTS_END
  */
 
 start_storage_server();
 start_page_actions_server();
-start_policy_injector();
 
 async function init_ext(install_details)
 {
-    console.log("details:", install_details);
     if (install_details.reason != "install")
 	return;
 
@@ -44,4 +47,53 @@ async function init_ext(install_details)
 
 browser.runtime.onInstalled.addListener(init_ext);
 
-console.log("hello, hachette");
+
+let storage;
+
+function on_headers_received(details)
+{
+    const url = details.url;
+    if (is_privileged_url(details.url))
+	return;
+
+    const [pattern, settings] = query_best(storage, details.url);
+    const allow = !!(settings && settings.allow);
+    const nonce = gen_nonce();
+    const policy = {allow, url, nonce};
+
+    let headers = details.responseHeaders;
+    let skip = false;
+    for (const header of headers) {
+	if ((header.name.toLowerCase().trim() === "content-disposition" &&
+	     /^\s*attachment\s*(;.*)$/i.test(header.value)))
+	    skip = true;
+    }
+
+    headers = inject_csp_headers(details, headers, policy);
+
+    skip = skip || (details.statusCode >= 300 && details.statusCode < 400);
+    if (!skip) {
+	/* Check for API availability. */
+	if (browser.webRequest.filterResponseData)
+	    headers = apply_stream_filter(details, headers, policy);
+    }
+
+    return {responseHeaders: headers};
+}
+
+async function start_webRequest_operations()
+{
+    storage = await get_storage();
+
+    const extra_opts = ["blocking", "responseHeaders"];
+    if (is_chrome)
+	extra_opts.push("extraHeaders");
+
+    browser.webRequest.onHeadersReceived.addListener(
+	on_headers_received,
+	{urls: ["<all_urls>"], types: ["main_frame", "sub_frame"]},
+	extra_opts
+    );
+}
+
+start_webRequest_operations();
-- 
cgit v1.2.3