From ecb787046271de708b94da70240713e725299d86 Mon Sep 17 00:00:00 2001
From: jahoti <jahoti@tilde.team>
Date: Sun, 18 Jul 2021 00:00:00 +0000
Subject: Streamline and harden unique values/settings

The base URL is now included in the settings. The unique value no longer uses
it directly, as it is included by virtue of the settings; however, the number
of full hours since the epoch (UTC) is now incorporated.
---
 background/policy_injector.js | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'background/policy_injector.js')

diff --git a/background/policy_injector.js b/background/policy_injector.js
index 8a767fb..2cd7b6e 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -17,6 +17,7 @@
  * IMPORT gen_nonce
  * IMPORT url_item
  * IMPORT url_extract_policy
+ * IMPORT sign_policy
  * IMPORT get_query_best
  * IMPORT csp_rule
  * IMPORTS_END
@@ -46,7 +47,7 @@ function is_our_header(header, rule)
 function url_inject(details)
 {
     const targets = url_extract_policy(details.url);
-    if (targets.valid_sig) {
+    if (targets.current) {
 	return;
     } else if (targets.policy) {
 	/* Redirect; update policy */
@@ -59,11 +60,16 @@ function url_inject(details)
 	/* Defaults */
 	settings = {};
     
-    const policy = {allow: settings.allow, nonce: gen_nonce()};
-    const policy_string = encodeURIComponent(JSON.stringify(policy));
-    const sig = gen_unique(policy_string + targets.base_url);
+    const policy = encodeURIComponent(
+	JSON.stringify({
+	    allow: settings.allow,
+	    nonce: gen_nonce(),
+	    base_url: targets.base_url
+	})
+    );
     
-    let redirect_url = targets.base_url + '#' + sig + policy_string;
+    let redirect_url = targets.base_url;
+    redirect_url += '#' + sign_policy(policy, new Date()) + policy;
     if (targets.target)
 	redirect_url += targets.target;
     if (targets.target2)
@@ -75,12 +81,11 @@ function url_inject(details)
 function inject(details)
 {
     const targets = url_extract_policy(details.url);
-    if (!targets.valid_sig)
-	/* Block unsigned requests */
+    if (!targets.current)
+	/* Block mis-/unsigned requests */
 	return {cancel: true};
 
     const rule = csp_rule(targets.policy.nonce);
-
     var headers = details.responseHeaders;
 
     if (!targets.policy.allow || is_mozilla)
-- 
cgit v1.2.3