From 8b823e1a6f29e52effc086d02dfe2e2812b2e187 Mon Sep 17 00:00:00 2001
From: jahoti <jahoti@tilde.team>
Date: Sat, 17 Jul 2021 00:00:00 +0000
Subject: Revamp signatures and break header caching on FF

Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the unique value generated from the
policy value (which will follow them) succeeded by the URL.

CSP headers are now _always_ cleared on FF, regardless of whether the page
is whitelisted or not. This means whitelisting takes effect on page reload,
rather than only when caching occurs. However, it obviously presents security
issues; refinment will occur in a future commit.
---
 content/main.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'content')

diff --git a/content/main.js b/content/main.js
index e75f61d..317b319 100644
--- a/content/main.js
+++ b/content/main.js
@@ -100,15 +100,16 @@ function inject_csp(head)
 
 if (!is_privileged_url(document.URL)) {
     const targets = url_extract_policy(document.URL);
-    targets.policy = targets.policy || {};
-    const nonce = targets.policy.nonce || gen_nonce();
-
-    if (targets.signed)
+    if (targets.policy) {
 	if (targets.target2 !== undefined)
 	    window.location.href = targets.base_url + targets.target2;
 	else
 	    history.replaceState(null, "", targets.base_url);
-
+    }
+    
+    targets.policy = targets.valid_sig ? targets.policy : {};
+    
+    const nonce = targets.policy.nonce || gen_nonce();
     start_activity_info_server();
     handle_page_actions(nonce);
 
-- 
cgit v1.2.3