1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
/**
* Hachette injecting policy to page using webRequest
*
* Copyright (C) 2021 Wojtek Kosior
* Copyright (C) 2021 jahoti
* Redistribution terms are gathered in the `copyright' file.
*/
/*
* IMPORTS_START
* IMPORT TYPE_PREFIX
* IMPORT get_storage
* IMPORT browser
* IMPORT is_chrome
* IMPORT is_mozilla
* IMPORT gen_unique
* IMPORT gen_nonce
* IMPORT is_privileged_url
* IMPORT url_item
* IMPORT url_extract_target
* IMPORT sign_policy
* IMPORT query_best
* IMPORT csp_rule
* IMPORTS_END
*/
var storage;
const csp_header_names = {
"content-security-policy" : true,
"x-webkit-csp" : true,
"x-content-security-policy" : true
};
const header_name = "content-security-policy";
function is_csp_header(header)
{
return !!csp_header_names[header.name.toLowerCase()];
}
function url_inject(details)
{
if (is_privileged_url(details.url))
return;
const targets = url_extract_target(details.url);
if (targets.current)
return;
/* Redirect; update policy */
if (targets.policy)
targets.target = "";
let [pattern, settings] = query_best(storage, targets.base_url);
/* Defaults */
if (!pattern)
settings = {};
const policy = encodeURIComponent(
JSON.stringify({
allow: settings.allow,
nonce: gen_nonce(),
base_url: targets.base_url
})
);
return {
redirectUrl: [
targets.base_url,
'#', sign_policy(policy, new Date()), policy,
targets.target,
targets.target2
].join("")
};
}
function headers_inject(details)
{
const targets = url_extract_target(details.url);
/* Block mis-/unsigned requests */
if (!targets.current)
return {cancel: true};
const rule = csp_rule(targets.policy.nonce);
var headers = details.responseHeaders;
/*
* Chrome doesn't have the buggy behavior of caching headers
* we injected. Firefox does and we have to remove it there.
*/
if (!targets.policy.allow || is_mozilla)
headers = headers.filter(h => !is_csp_header(h));
if (!targets.policy.allow) {
headers.push({
name : header_name,
value : rule
});
}
return {responseHeaders: headers};
}
async function start_policy_injector()
{
storage = await get_storage();
let extra_opts = ["blocking", "responseHeaders"];
if (is_chrome)
extra_opts.push("extraHeaders");
browser.webRequest.onBeforeRequest.addListener(
url_inject,
{
urls: ["<all_urls>"],
types: ["main_frame", "sub_frame"]
},
["blocking"]
);
browser.webRequest.onHeadersReceived.addListener(
headers_inject,
{
urls: ["<all_urls>"],
types: ["main_frame", "sub_frame"]
},
extra_opts
);
}
/*
* EXPORTS_START
* EXPORT start_policy_injector
* EXPORTS_END
*/
|
