From 44e89d8ec71b441a431c848567f34b9a36f6b982 Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Thu, 9 Sep 2021 17:47:51 +0200
Subject: simplify CSP handling

All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.
---
 common/misc.js | 68 ++++++++++------------------------------------------------
 1 file changed, 11 insertions(+), 57 deletions(-)

(limited to 'common/misc.js')

diff --git a/common/misc.js b/common/misc.js
index 6adaf1e..6cded84 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -43,29 +43,19 @@ function gen_nonce(length=16)
     return Uint8toHex(randomData);
 }
 
-/* csp rule that blocks all scripts except for those injected by us */
-function csp_rule(nonce)
+/* CSP rule that blocks scripts according to policy's needs. */
+function make_csp_rule(policy)
 {
-    const rule = `'nonce-${nonce}'`;
-    return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;
+    let rule = "prefetch-src 'none'; script-src-attr 'none';";
+    const script_src = policy.has_payload ?
+	  `'nonce-${policy.nonce}'` : "'none'";
+    rule += ` script-src ${script_src}; script-src-elem ${script_src};`;
+    return rule;
 }
 
 /* Check if some HTTP header might define CSP rules. */
-const csp_header_names = new Set([
-    "content-security-policy",
-    "x-webkit-csp",
-    "x-content-security-policy"
-]);
-
-const report_only_header_name = "content-security-policy-report-only";
-
-function is_csp_header_name(string, include_report_only)
-{
-    string = string && string.toLowerCase().trim() || "";
-
-    return (include_report_only && string === report_only_header_name) ||
-	csp_header_names.has(string);
-}
+const csp_header_regex =
+      /^\s*(content-security-policy|x-webkit-csp|x-content-security-policy)/i;
 
 /*
  * Print item together with type, e.g.
@@ -111,41 +101,6 @@ function parse_csp(csp) {
     return directives;
 }
 
-/* Make CSP headers do our bidding, not interfere */
-function sanitize_csp_header(header, policy)
-{
-    const rule = `'nonce-${policy.nonce}'`;
-    const csp = parse_csp(header.value);
-
-    if (!policy.allow) {
-	/* No snitching */
-	delete csp['report-to'];
-	delete csp['report-uri'];
-
-	delete csp['script-src'];
-	delete csp['script-src-elem'];
-
-	csp['script-src-attr'] = ["'none'"];
-	csp['prefetch-src'] = ["'none'"];
-    }
-
-    if ('script-src' in csp)
-	csp['script-src'].push(rule);
-    else
-	csp['script-src'] = [rule];
-
-    if ('script-src-elem' in csp)
-	csp['script-src-elem'].push(rule);
-    else
-	csp['script-src-elem'] = [rule];
-
-    const new_csp = Object.entries(csp).map(
-	i => `${i[0]} ${i[1].join(' ')};`
-    );
-
-    return {name: header.name, value: new_csp.join('')};
-}
-
 /* Regexes and objects to use as/in schemas for parse_json_with_schema(). */
 const nonempty_string_matcher = /.+/;
 
@@ -161,12 +116,11 @@ const matchers = {
 /*
  * EXPORTS_START
  * EXPORT gen_nonce
- * EXPORT csp_rule
- * EXPORT is_csp_header_name
+ * EXPORT make_csp_rule
+ * EXPORT csp_header_regex
  * EXPORT nice_name
  * EXPORT open_in_settings
  * EXPORT is_privileged_url
- * EXPORT sanitize_csp_header
  * EXPORT matchers
  * EXPORTS_END
  */
-- 
cgit v1.2.3