From 5dab077b9bb7564f2c556b197c5c416c41783112 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 6 Sep 2021 00:00:00 +0000 Subject: Replace CSP filtering with blocking CSP headers are now blocked completely rather than modified. Also, filtering is applied whenever a payload is injected. --- background/policy_injector.js | 66 +++++++------------------------------------ 1 file changed, 10 insertions(+), 56 deletions(-) (limited to 'background') diff --git a/background/policy_injector.js b/background/policy_injector.js index 72318d4..318190b 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -11,54 +11,24 @@ * IMPORT sign_data * IMPORT extract_signed * IMPORT sanitize_csp_header - * IMPORT csp_rule + * IMPORT make_csp_rule * IMPORT is_csp_header_name * IMPORTS_END */ function inject_csp_headers(headers, policy) { - let csp_headers; - let old_signature; - let hachette_header; + if (!policy.allow || policy.has_payload) { + /* Remove report-only CSP headers that snitch on us. */ + headers = headers.filter(h => !is_csp_header_name(h.name, true)); - for (const header of headers.filter(h => h.name === "x-hachette")) { - /* x-hachette header has format: _0_ */ - const match = /^([^_]+)_(0_.*)$/.exec(header.value); - if (!match) - continue; - - const result = extract_signed(...match.slice(1, 3)); - if (result.fail) - continue; - - /* This should succeed - it's our self-produced valid JSON. */ - const old_data = JSON.parse(decodeURIComponent(result.data)); - - /* Confirmed- it's the originals, smuggled in! */ - csp_headers = old_data.csp_headers; - old_signature = old_data.policy_sig; - - hachette_header = header; - break; - } - - if (!hachette_header) { - hachette_header = {name: "x-hachette"}; - headers.push(hachette_header); + /* Add our own CSP header */ + headers.push({ + name: "content-security-policy", + value: make_csp_rule(policy) + }); } - - csp_headers = csp_headers || - headers.filter(h => is_csp_header_name(h.name)); - - /* When blocking remove report-only CSP headers that snitch on us. */ - headers = headers.filter(h => !is_csp_header_name(h.name, !policy.allow)); - - if (old_signature) - headers = headers.filter(h => h.value.search(old_signature) === -1); - - headers.push(...csp_headers.map(h => sanitize_csp_header(h, policy))); - + const policy_str = encodeURIComponent(JSON.stringify(policy)); const signed_policy = sign_data(policy_str, new Date().getTime()); const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); @@ -67,22 +37,6 @@ function inject_csp_headers(headers, policy) value: `hachette-${signed_policy.join("=")}; Expires=${later_30sec};` }); - /* - * Smuggle in the signature and the original CSP headers for future use. - * These are signed with a time of 0, as it's not clear there is a limit on - * how long Firefox might retain headers in the cache. - */ - let hachette_data = {csp_headers, policy_sig: signed_policy[0]}; - hachette_data = encodeURIComponent(JSON.stringify(hachette_data)); - hachette_header.value = sign_data(hachette_data, 0).join("_"); - - /* To ensure there is a CSP header if required */ - if (!policy.allow) - headers.push({ - name: "content-security-policy", - value: csp_rule(policy.nonce) - }); - return headers; } -- cgit v1.2.3