/** * Myext injecting policy to page using webRequest * * Copyright (C) 2021 Wojtek Kosior * Redistribution terms are gathered in the `copyright' file. */ /* * IMPORTS_START * IMPORT TYPE_PREFIX * IMPORT get_storage * IMPORT browser * IMPORT is_chrome * IMPORT gen_unique * IMPORT url_item * IMPORT get_query_best * IMPORT csp_rule * IMPORTS_END */ var storage; var query_best; const csp_header_names = { "content-security-policy" : true, "x-webkit-csp" : true, "x-content-security-policy" : true }; const header_name = "content-security-policy"; function is_csp_header(header) { return !!csp_header_names[header.name.toLowerCase()]; } function is_our_header(header, rule) { return header.value === rule } function inject(details) { const url = url_item(details.url); const [pattern, settings] = query_best(url); const nonce = gen_unique(url); const rule = csp_rule(nonce); var headers; if (settings !== undefined && settings.allow) { /* * Chrome doesn't have the buggy behavior of repeatedly injecting a * header we injected once. Firefox does and we have to remove it there. */ if (is_chrome) return {cancel: false}; headers = details.responseHeaders.filter(h => !is_our_header(h, rule)); } else { headers = details.responseHeaders.filter(h => !is_csp_header(h)); headers.push({ name : header_name, value : rule }); } return {responseHeaders: headers}; } async function start_policy_injector() { storage = await get_storage(); query_best = await get_query_best(); let extra_opts = ["blocking", "responseHeaders"]; if (is_chrome) extra_opts.push("extraHeaders"); browser.webRequest.onHeadersReceived.addListener( inject, { urls: [""], types: ["main_frame", "sub_frame"] }, extra_opts ); } /* * EXPORTS_START * EXPORT start_policy_injector * EXPORTS_END */