From 2875397fb887a5b09b5f39d6b3a75419a516dd07 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Thu, 26 Aug 2021 11:50:36 +0200 Subject: improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it. --- content/main.js | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) (limited to 'content') diff --git a/content/main.js b/content/main.js index 4ae7738..984b3cb 100644 --- a/content/main.js +++ b/content/main.js @@ -32,17 +32,36 @@ function accept_node(node, parent) } if (!is_privileged_url(document.URL)) { - const reductor = - (ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig]; - const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)]; - let [policy, signature] = matches.reduce(reductor, []); + /* Signature valid for half an hour. */ + const min_time = new Date().getTime() - 1800 * 1000; + let best_result = {time: -1}; + let policy = null; + const extracted_signatures = []; + for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) { + const new_result = extract_signed(...match.slice(1, 3)); + if (new_result.fail) + continue; - if (!policy || policy.url !== document.URL) { - console.log("WARNING! Using default policy!!!"); + extracted_signatures.push(match[1]); + + if (new_result.time < Math.max(min_time, best_result.time)) + continue; + + /* This should succeed - it's our self-produced valid JSON. */ + const new_policy = JSON.parse(decodeURIComponent(new_result.data)); + if (new_policy.url !== document.URL) + continue; + + best_result = new_result; + policy = new_policy; + } + + if (!policy) { + console.warn("WARNING! Using default policy!!!"); policy = {allow: false, nonce: gen_nonce()}; } - if (signature) + for (const signature of extracted_signatures) document.cookie = `hachette-${signature}=; Max-Age=-1;`; handle_page_actions(policy.nonce); -- cgit v1.2.3