From d09b7ee10541b5a81430d2e11abb3a9a09643ade Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Fri, 20 Aug 2021 12:57:48 +0200
Subject: sanitize `<meta>' tags containing CSP rules under Chromium

This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.
---
 common/misc.js | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

(limited to 'common')

diff --git a/common/misc.js b/common/misc.js
index 6e825d6..8894d60 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -78,6 +78,23 @@ function csp_rule(nonce)
     return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;
 }
 
+/* Check if some HTTP header might define CSP rules. */
+const csp_header_names = new Set([
+    "content-security-policy",
+    "x-webkit-csp",
+    "x-content-security-policy"
+]);
+
+const report_only_header_name = "content-security-policy-report-only";
+
+function is_csp_header_name(string, include_report_only)
+{
+    string = string && string.toLowerCase() || "";
+
+    return (include_report_only && string === report_only_header_name) ||
+	csp_header_names.has(string);
+}
+
 /*
  * Print item together with type, e.g.
  * nice_name("s", "hello") → "hello (script)"
@@ -127,11 +144,12 @@ function parse_csp(csp) {
 }
 
 /* Make CSP headers do our bidding, not interfere */
-function sanitize_csp_header(header, rule, allow)
+function sanitize_csp_header(header, policy)
 {
+    const rule = `'nonce-${policy.nonce}'`;
     const csp = parse_csp(header.value);
 
-    if (!allow) {
+    if (!policy.allow) {
 	/* No snitching */
 	delete csp['report-to'];
 	delete csp['report-uri'];
@@ -153,11 +171,11 @@ function sanitize_csp_header(header, rule, allow)
     else
 	csp['script-src-elem'] = [rule];
 
-    const new_policy = Object.entries(csp).map(
+    const new_csp = Object.entries(csp).map(
 	i => `${i[0]} ${i[1].join(' ')};`
     );
 
-    return {name: header.name, value: new_policy.join('')};
+    return {name: header.name, value: new_csp.join('')};
 }
 
 /* Regexes and objest to use as/in schemas for parse_json_with_schema(). */
@@ -178,6 +196,7 @@ const matchers = {
  * EXPORT extract_signed
  * EXPORT sign_data
  * EXPORT csp_rule
+ * EXPORT is_csp_header_name
  * EXPORT nice_name
  * EXPORT open_in_settings
  * EXPORT is_privileged_url
-- 
cgit v1.2.3