From 5dab077b9bb7564f2c556b197c5c416c41783112 Mon Sep 17 00:00:00 2001
From: jahoti <jahoti@tilde.team>
Date: Mon, 6 Sep 2021 00:00:00 +0000
Subject: Replace CSP filtering with blocking

CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
---
 common/misc.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'common')

diff --git a/common/misc.js b/common/misc.js
index 91d60d2..97fc2dc 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -146,6 +146,17 @@ function sanitize_csp_header(header, policy)
     return {name: header.name, value: new_csp.join('')};
 }
 
+/* csp rule that blocks all scripts except for those injected by us */
+function make_csp_rule(policy)
+{
+    let rule = "prefetch-src 'none'; ", nonce = `'nonce-${policy.nonce}'`;
+    if (!policy.allow) {
+	rule += `script-src ${nonce}; script-src-elem ${nonce}; ` +
+	    "script-src-attr 'none'; ";
+    }
+    return rule;
+}
+
 /* Regexes and objects to use as/in schemas for parse_json_with_schema(). */
 const nonempty_string_matcher = /.+/;
 
@@ -161,7 +172,7 @@ const matchers = {
 /*
  * EXPORTS_START
  * EXPORT gen_nonce
- * EXPORT csp_rule
+ * EXPORT make_csp_rule
  * EXPORT is_csp_header_name
  * EXPORT nice_name
  * EXPORT open_in_settings
-- 
cgit v1.2.3