From 5dab077b9bb7564f2c556b197c5c416c41783112 Mon Sep 17 00:00:00 2001
From: jahoti <jahoti@tilde.team>
Date: Mon, 6 Sep 2021 00:00:00 +0000
Subject: Replace CSP filtering with blocking

CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.
---
 content/main.js | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

(limited to 'content/main.js')

diff --git a/content/main.js b/content/main.js
index b2cc9ed..3ebf093 100644
--- a/content/main.js
+++ b/content/main.js
@@ -17,7 +17,7 @@
  * IMPORT is_chrome
  * IMPORT is_mozilla
  * IMPORT start_activity_info_server
- * IMPORT csp_rule
+ * IMPORT make_csp_rule
  * IMPORT is_csp_header_name
  * IMPORT sanitize_csp_header
  * IMPORTS_END
@@ -175,9 +175,6 @@ function sanitize_meta(meta, policy)
 	return;
 
     block_attribute(meta, "content");
-
-    if (is_csp_header_name(http_equiv, false))
-	meta.content = sanitize_csp_header({value}, policy).value;
 }
 
 function sanitize_script(script)
@@ -204,7 +201,7 @@ function apply_hachette_csp_rules(doc, policy)
 {
     const meta = doc.createElement("meta");
     meta.setAttribute("http-equiv", "Content-Security-Policy");
-    meta.setAttribute("content", csp_rule(policy.nonce));
+    meta.setAttribute("content", make_csp_rule(policy));
     doc.head.append(meta);
     /* CSP is already in effect, we can remove the <meta> now. */
     meta.remove();
@@ -240,13 +237,15 @@ async function sanitize_document(doc, policy)
     for (const meta of old_html.querySelectorAll("head meta"))
 	sanitize_meta(meta, policy);
 
-    for (const script of old_html.querySelectorAll("script"))
-	sanitize_script(script, policy);
+    if (!policy.allow)
+	for (const script of old_html.querySelectorAll("script"))
+	     sanitize_script(script, policy);
 
     new_html.replaceWith(old_html);
 
-    for (const script of old_html.querySelectorAll("script"))
-	desanitize_script(script, policy);
+    if (!policy.allow)
+	for (const script of old_html.querySelectorAll("script"))
+	    desanitize_script(script, policy);
 }
 
 if (!is_privileged_url(document.URL)) {
@@ -282,7 +281,7 @@ if (!is_privileged_url(document.URL)) {
     }
 
     const doc_ready = Promise.all([
-	policy.allow ? Promise.resolve : sanitize_document(document, policy),
+	(policy.allow && !policy.has_payload) ? Promise.resolve : sanitize_document(document, policy),
 	new Promise(cb => document.addEventListener("DOMContentLoaded",
 						    cb, {once: true}))
     ]);
-- 
cgit v1.2.3