From 96068ada37bfa1d7e6485551138ba36600664caf Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Sat, 20 Nov 2021 18:29:59 +0100 Subject: replace cookies with synchronous XmlHttpRequest as policy smuggling method. Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later. --- background/policy_injector.js | 67 ++++++------------------------------------- 1 file changed, 9 insertions(+), 58 deletions(-) (limited to 'background/policy_injector.js') diff --git a/background/policy_injector.js b/background/policy_injector.js index 881595b..b49ec47 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -10,77 +10,28 @@ /* * IMPORTS_START - * IMPORT sign_data - * IMPORT extract_signed * IMPORT make_csp_rule * IMPORT csp_header_regex + * Re-enable the import below once nonce stuff here is ready + * !mport gen_nonce * IMPORTS_END */ function inject_csp_headers(headers, policy) { let csp_headers; - let old_signature; - let haketilo_header; - for (const header of headers.filter(h => h.name === "x-haketilo")) { - /* x-haketilo header has format: _0_ */ - const match = /^([^_]+)_(0_.*)$/.exec(header.value); - if (!match) - continue; + if (policy.payload) { + headers = headers.filter(h => !csp_header_regex.test(h.name)); - const result = extract_signed(...match.slice(1, 3)); - if (result.fail) - continue; + // TODO: make CSP rules with nonces and facilitate passing them to + // content scripts via dynamic content script registration or + // synchronous XHRs - /* This should succeed - it's our self-produced valid JSON. */ - const old_data = JSON.parse(decodeURIComponent(result.data)); - - /* Confirmed- it's the originals, smuggled in! */ - csp_headers = old_data.csp_headers; - old_signature = old_data.policy_sig; - - haketilo_header = header; - break; + // policy.nonce = gen_nonce(); } - if (policy.has_payload) { - csp_headers = []; - const non_csp_headers = []; - const header_list = - h => csp_header_regex.test(h) ? csp_headers : non_csp_headers; - headers.forEach(h => header_list(h.name).push(h)); - headers = non_csp_headers; - } else { - headers.push(...csp_headers || []); - } - - if (!haketilo_header) { - haketilo_header = {name: "x-haketilo"}; - headers.push(haketilo_header); - } - - if (old_signature) - headers = headers.filter(h => h.value.search(old_signature) === -1); - - const policy_str = encodeURIComponent(JSON.stringify(policy)); - const signed_policy = sign_data(policy_str, new Date().getTime()); - const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); - headers.push({ - name: "Set-Cookie", - value: `haketilo-${signed_policy.join("=")}; Expires=${later_30sec};` - }); - - /* - * Smuggle in the signature and the original CSP headers for future use. - * These are signed with a time of 0, as it's not clear there is a limit on - * how long Firefox might retain headers in the cache. - */ - let haketilo_data = {csp_headers, policy_sig: signed_policy[0]}; - haketilo_data = encodeURIComponent(JSON.stringify(haketilo_data)); - haketilo_header.value = sign_data(haketilo_data, 0).join("_"); - - if (!policy.allow) { + if (!policy.allow && (policy.nonce || !policy.payload)) { headers.push({ name: "content-security-policy", value: make_csp_rule(policy) -- cgit v1.2.3