From dcfc78b0d175bee7b3b7e273282078d50bd4ca09 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 12 Jul 2021 00:00:00 +0000 Subject: Stop using the nonce consistently for a URL Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism. --- content/main.js | 21 +++++++++++++++++---- content/page_actions.js | 4 +--- 2 files changed, 18 insertions(+), 7 deletions(-) (limited to 'content') diff --git a/content/main.js b/content/main.js index 9acf749..3204a8a 100644 --- a/content/main.js +++ b/content/main.js @@ -2,15 +2,18 @@ * Myext main content script run in all frames * * Copyright (C) 2021 Wojtek Kosior + * Copyright (C) 2021 jahoti * Redistribution terms are gathered in the `copyright' file. */ /* * IMPORTS_START + * IMPORT CONNECTION_TYPE * IMPORT handle_page_actions * IMPORT url_item * IMPORT url_extract_target * IMPORT gen_unique + * IMPORT gen_nonce * IMPORT csp_rule * IMPORT is_privileged_url * IMPORT sanitize_attributes @@ -113,7 +116,7 @@ function inject_csp(head) let meta = document.createElement("meta"); meta.setAttribute("http-equiv", "Content-Security-Policy"); - meta.setAttribute("content", csp_rule(unique)); + meta.setAttribute("content", csp_rule(nonce)); if (head.firstElementChild === null) head.appendChild(meta); @@ -123,13 +126,23 @@ function inject_csp(head) if (!is_privileged_url(document.URL)) { start_activity_info_server(); - handle_page_actions(unique); + var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS}); if (is_http()) { - /* rely on CSP injected through webRequest */ + /* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */ + const nonce_capturer = msg => { + port.onMessage.removeListener(nonce_capturer); + handle_page_actions(msg[1], port); + }; + + port.onMessage.addListener(nonce_capturer); + } else if (is_whitelisted()) { - /* do not block scripts at all */ + /* do not block scripts at all; as a result, there is no need for a green-lighted nonce */ + handle_page_actions(null, port); } else { + nonce = gen_nonce(); + handle_page_actions(nonce, port); block_nodes_recursively(document.documentElement); if (is_chrome) { diff --git a/content/page_actions.js b/content/page_actions.js index fd405fe..dff5f71 100644 --- a/content/page_actions.js +++ b/content/page_actions.js @@ -7,7 +7,6 @@ /* * IMPORTS_START - * IMPORT CONNECTION_TYPE * IMPORT browser * IMPORT report_script * IMPORT report_settings @@ -55,9 +54,8 @@ function add_script(script_text) report_script(script_text); } -function handle_page_actions(script_nonce) { +function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js document.addEventListener("DOMContentLoaded", document_loaded); - port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS}); port.onMessage.addListener(handle_message); port.postMessage({url: document.URL}); -- cgit v1.2.3