/**
 * Hachette injecting policy to page using webRequest
 *
 * Copyright (C) 2021 Wojtek Kosior
 * Copyright (C) 2021 jahoti
 * Redistribution terms are gathered in the `copyright' file.
 */

/*
 * IMPORTS_START
 * IMPORT sign_data
 * IMPORT extract_signed
 * IMPORT sanitize_csp_header
 * IMPORT make_csp_rule
 * IMPORT is_csp_header_name
 * IMPORTS_END
 */

function inject_csp_headers(headers, policy)
{
    if (!policy.allow || policy.has_payload) {
	/* Remove report-only CSP headers that snitch on us. */
	headers = headers.filter(h => !is_csp_header_name(h.name, true));

	/* Add our own CSP header */
	headers.push({
	    name: "content-security-policy",
	    value: make_csp_rule(policy)
	});
    }
    
    const policy_str = encodeURIComponent(JSON.stringify(policy));
    const signed_policy = sign_data(policy_str, new Date().getTime());
    const later_30sec = new Date(new Date().getTime() + 30000).toGMTString();
    headers.push({
	name: "Set-Cookie",
	value: `hachette-${signed_policy.join("=")}; Expires=${later_30sec};`
    });

    return headers;
}

/*
 * EXPORTS_START
 * EXPORT inject_csp_headers
 * EXPORTS_END
 */