From dcfc78b0d175bee7b3b7e273282078d50bd4ca09 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 12 Jul 2021 00:00:00 +0000 Subject: Stop using the nonce consistently for a URL Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism. --- common/misc.js | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'common/misc.js') diff --git a/common/misc.js b/common/misc.js index 8b56e79..7e48059 100644 --- a/common/misc.js +++ b/common/misc.js @@ -2,6 +2,7 @@ * Myext miscellaneous operations refactored to a separate file * * Copyright (C) 2021 Wojtek Kosior + * Copyright (C) 2021 jahoti * Redistribution terms are gathered in the `copyright' file. */ @@ -18,6 +19,23 @@ * generating unique, per-site value that can be computed synchronously * and is impossible to guess for a malicious website */ + +/* Uint8toHex is a separate function not exported as (a) it's useful and (b) it will be used in crypto.subtle-based digests */ +function Uint8toHex(data) +{ + let returnValue = ''; + for (let byte of data) + returnValue += ('00' + byte.toString(16)).slice(-2); + return returnValue; +} + +function gen_nonce(length) // Default 16 +{ + let randomData = new Uint8Array(length || 16); + crypto.getRandomValues(randomData); + return Uint8toHex(randomData); +} + function gen_unique(url) { return sha256(get_secure_salt() + url); @@ -98,6 +116,7 @@ function is_privileged_url(url) /* * EXPORTS_START * EXPORT gen_unique + * EXPORT gen_nonce * EXPORT url_item * EXPORT url_extract_target * EXPORT csp_rule -- cgit v1.2.3