summaryrefslogtreecommitdiff
path: root/background/policy_injector.js
blob: eb67963a511becb6476bf208c4ab84b2920e3f0e (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/**
 * Myext injecting policy to page using webRequest
 *
 * Copyright (C) 2021 Wojtek Kosior
 * Redistribution terms are gathered in the `copyright' file.
 */

/*
 * IMPORTS_START
 * IMPORT TYPE_PREFIX
 * IMPORT get_storage
 * IMPORT browser
 * IMPORT is_chrome
 * IMPORT gen_unique
 * IMPORT url_item
 * IMPORT get_query_best
 * IMPORT csp_rule
 * IMPORTS_END
 */

var storage;
var query_best;

const csp_header_names = {
    "content-security-policy" : true,
    "x-webkit-csp" : true,
    "x-content-security-policy" : true
};

const header_name = "content-security-policy";

function is_csp_header(header)
{
    return !!csp_header_names[header.name.toLowerCase()];
}

function is_our_header(header, rule)
{
    return header.value === rule
}

function inject(details)
{
    const url = url_item(details.url);

    const [pattern, settings] = query_best(url);

    const nonce = gen_unique(url);
    const rule = csp_rule(nonce);

    var headers;

    if (settings !== undefined && settings.allow) {
	/*
	 * Chrome doesn't have the buggy behavior of repeatedly injecting a
	 * header we injected once. Firefox does and we have to remove it there.
	 */
	if (is_chrome)
	    return {cancel: false};

	headers = details.responseHeaders.filter(h => !is_our_header(h, rule));
    } else {
	headers = details.responseHeaders.filter(h => !is_csp_header(h));

	headers.push({
	    name : header_name,
	    value : rule
	});
    }

    return {responseHeaders: headers};
}

async function start_policy_injector()
{
    storage = await get_storage();
    query_best = await get_query_best();

    let extra_opts = ["blocking", "responseHeaders"];
    if (is_chrome)
	extra_opts.push("extraHeaders");

    browser.webRequest.onHeadersReceived.addListener(
	inject,
	{
	    urls: ["<all_urls>"],
	    types: ["main_frame", "sub_frame"]
	},
	extra_opts
    );
}

/*
 * EXPORTS_START
 * EXPORT start_policy_injector
 * EXPORTS_END
 */