From 5b419aedd564e6506aa2fc8bddcaa5d601888f17 Mon Sep 17 00:00:00 2001
From: jahoti <jahoti@tilde.team>
Date: Mon, 2 Aug 2021 00:00:00 +0000
Subject: [UNTESTED- will test] Add filtering for http-equiv CSP headers

---
 common/misc.js | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

(limited to 'common')

diff --git a/common/misc.js b/common/misc.js
index 0d8466e..d046b65 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -173,6 +173,40 @@ function parse_csp(csp) {
     return directives;
 }
 
+/* Make CSP headers do our bidding, not interfere */
+function sanitize_csp_header(header, rule, block)
+{
+    const csp = parse_csp(header.value);
+
+    if (block) {
+	/* No snitching */
+	delete csp['report-to'];
+	delete csp['report-uri'];
+	
+	delete csp['script-src'];
+	delete csp['script-src-elem'];
+
+	csp['script-src-attr'] = ["'none'"];
+	csp['prefetch-src'] = ["'none'"];
+    }
+
+    if ('script-src' in csp)
+	csp['script-src'].push(rule);
+    else
+	csp['script-src'] = [rule];
+
+    if ('script-src-elem' in csp)
+	csp['script-src-elem'].push(rule);
+    else
+	csp['script-src-elem'] = [rule];
+
+    const new_policy = Object.entries(csp).map(
+	i => `${i[0]} ${i[1].join(' ')};`
+    );
+
+    return {name: header.name, value: new_policy.join('')};
+}
+
 /*
  * EXPORTS_START
  * EXPORT gen_nonce
@@ -184,6 +218,6 @@ function parse_csp(csp) {
  * EXPORT nice_name
  * EXPORT open_in_settings
  * EXPORT is_privileged_url
- * EXPORT parse_csp
+ * EXPORT sanitize_csp_header
  * EXPORTS_END
  */
-- 
cgit v1.2.3