From f8dedf60638bffde3f92116db3f418d2e6260e80 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Wed, 1 Jun 2022 18:14:09 +0200 Subject: allow eval() in injected scripts --- common/policy.js | 43 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) (limited to 'common/policy.js') diff --git a/common/policy.js b/common/policy.js index e14d8cd..6bcb54b 100644 --- a/common/policy.js +++ b/common/policy.js @@ -49,16 +49,15 @@ * CSP rule that either blocks all scripts or only allows scripts with specified * nonce attached. */ -function make_csp(nonce) -{ - const rule = nonce ? `nonce-${nonce}` : "none"; +function make_csp(nonce) { + const rule = nonce ? `'nonce-${nonce}'` : "'none'"; const csp_list = [ - ["prefetch-src", "none"], - ["script-src-attr", "none"], - ["script-src", rule], + ["prefetch-src", "'none'"], + ["script-src-attr", "'none'"], + ["script-src", rule, "'unsafe-eval'"], ["script-src-elem", rule] ]; - return csp_list.map(([a, b]) => `${a} '${b}';`).join(" "); + return csp_list.map(words => `${words.join(" ")};`).join(" "); } function decide_policy(patterns_tree, url, default_allow, secret) @@ -113,3 +112,33 @@ function decide_policy(patterns_tree, url, default_allow, secret) #EXPORT decide_policy #EXPORT () => ({allow: false, csp: make_csp()}) AS fallback_policy + +#IF NEVER + +/* + * Note: the functions below were overeagerly written and are not used now but + * might prove useful to once we add more functionalities and are hence kept... + */ + +function relaxed_csp_eval(csp) { + const new_csp_list = []; + + for (const directive of csp.split(";")) { + const directive_words = directive.trim().split(" "); + if (directive_words[0] === "script-src") + directive_words.push("'unsafe-eval'"); + + new_csp_list.push(directive_words); + } + + new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" "); +} + +function relax_policy_eval(policy) { + const new_policy = Object.assign({}, policy); + + return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)}); +} +#EXPORT relax_policy_eval + +#ENDIF -- cgit v1.2.3