From 7ee7889ae8f1473474254553ec3b3469fb0a935b Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <wk@koszkonutek-tmp.pl.eu.org>
Date: Fri, 18 Jun 2021 11:45:01 +0200
Subject: when possible inject CSP as http(s) header using webRequest instead
 of adding a <meta> tag

---
 content/main.js | 54 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 19 deletions(-)

(limited to 'content')

diff --git a/content/main.js b/content/main.js
index 23f7f66..eb5d0ac 100644
--- a/content/main.js
+++ b/content/main.js
@@ -30,29 +30,45 @@
     const url_item = window.url_item;
     const gen_unique = window.gen_unique;
 
-    var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;
-    var match = url_re.exec(document.URL);
-    var base_url = match[1];
-    var first_target = match[3];
-    var second_target = match[4];
+    /*
+     * Due to some technical limitations the chosen method of whitelisting sites
+     * is to smuggle whitelist indicator in page's url as a "magical" string
+     * after '#'. Right now this is not needed in HTTP(s) pages where native
+     * script blocking happens through CSP header injection but is needed for
+     * protocols like ftp:// and file://.
+     *
+     * The code that actually injects the magical string into ftp:// and file://
+     * urls has not yet been added to the extension.
+     */
 
-    // TODO: can be refactored *a little bit* with policy_smuggler.js
     let url = url_item(document.URL);
     let unique = gen_unique(url);
-
     let nonce = unique.substring(1);
 
-    var block = true;
-    if (first_target !== undefined &&
-	first_target === unique) {
-	block = false;
-	console.log(["allowing", document.URL]);
-	if (second_target !== undefined)
-	    window.location.href = base_url + second_target;
-	else
-	    history.replaceState(null, "", base_url);
-    } else {
-	console.log(["not allowing", document.URL]);
+    function needs_blocking()
+    {
+	if (url.startsWith("https://") || url.startsWith("http://"))
+	    return false;
+
+	let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;
+	let match = url_re.exec(document.URL);
+	let base_url = match[1];
+	let first_target = match[3];
+	let second_target = match[4];
+
+	if (first_target !== undefined &&
+	    first_target === unique) {
+	    if (second_target !== undefined)
+		window.location.href = base_url + second_target;
+	    else
+		history.replaceState(null, "", base_url);
+
+	    console.log(["allowing whitelisted", document.URL]);
+	    return false;
+	}
+
+	console.log(["disallowing", document.URL]);
+	return true;
     }
 
     function handle_mutation(mutations, observer)
@@ -129,7 +145,7 @@ script-src-elem 'nonce-${nonce}';\
 	}
     }
 
-    if (block) {
+    if (needs_blocking()) {
 	var observer = new MutationObserver(handle_mutation);
 	observer.observe(document.documentElement, {
 	    attributes: true,
-- 
cgit v1.2.3