From 44e89d8ec71b441a431c848567f34b9a36f6b982 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Thu, 9 Sep 2021 17:47:51 +0200 Subject: simplify CSP handling All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own. --- common/misc.js | 68 ++++++++++------------------------------------------------ 1 file changed, 11 insertions(+), 57 deletions(-) (limited to 'common') diff --git a/common/misc.js b/common/misc.js index 6adaf1e..6cded84 100644 --- a/common/misc.js +++ b/common/misc.js @@ -43,29 +43,19 @@ function gen_nonce(length=16) return Uint8toHex(randomData); } -/* csp rule that blocks all scripts except for those injected by us */ -function csp_rule(nonce) +/* CSP rule that blocks scripts according to policy's needs. */ +function make_csp_rule(policy) { - const rule = `'nonce-${nonce}'`; - return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`; + let rule = "prefetch-src 'none'; script-src-attr 'none';"; + const script_src = policy.has_payload ? + `'nonce-${policy.nonce}'` : "'none'"; + rule += ` script-src ${script_src}; script-src-elem ${script_src};`; + return rule; } /* Check if some HTTP header might define CSP rules. */ -const csp_header_names = new Set([ - "content-security-policy", - "x-webkit-csp", - "x-content-security-policy" -]); - -const report_only_header_name = "content-security-policy-report-only"; - -function is_csp_header_name(string, include_report_only) -{ - string = string && string.toLowerCase().trim() || ""; - - return (include_report_only && string === report_only_header_name) || - csp_header_names.has(string); -} +const csp_header_regex = + /^\s*(content-security-policy|x-webkit-csp|x-content-security-policy)/i; /* * Print item together with type, e.g. @@ -111,41 +101,6 @@ function parse_csp(csp) { return directives; } -/* Make CSP headers do our bidding, not interfere */ -function sanitize_csp_header(header, policy) -{ - const rule = `'nonce-${policy.nonce}'`; - const csp = parse_csp(header.value); - - if (!policy.allow) { - /* No snitching */ - delete csp['report-to']; - delete csp['report-uri']; - - delete csp['script-src']; - delete csp['script-src-elem']; - - csp['script-src-attr'] = ["'none'"]; - csp['prefetch-src'] = ["'none'"]; - } - - if ('script-src' in csp) - csp['script-src'].push(rule); - else - csp['script-src'] = [rule]; - - if ('script-src-elem' in csp) - csp['script-src-elem'].push(rule); - else - csp['script-src-elem'] = [rule]; - - const new_csp = Object.entries(csp).map( - i => `${i[0]} ${i[1].join(' ')};` - ); - - return {name: header.name, value: new_csp.join('')}; -} - /* Regexes and objects to use as/in schemas for parse_json_with_schema(). */ const nonempty_string_matcher = /.+/; @@ -161,12 +116,11 @@ const matchers = { /* * EXPORTS_START * EXPORT gen_nonce - * EXPORT csp_rule - * EXPORT is_csp_header_name + * EXPORT make_csp_rule + * EXPORT csp_header_regex * EXPORT nice_name * EXPORT open_in_settings * EXPORT is_privileged_url - * EXPORT sanitize_csp_header * EXPORT matchers * EXPORTS_END */ -- cgit v1.2.3