1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
/**
* Hachette injecting policy to page using webRequest
*
* Copyright (C) 2021 Wojtek Kosior
* Copyright (C) 2021 jahoti
* Redistribution terms are gathered in the `copyright' file.
*/
/*
* IMPORTS_START
* IMPORT TYPE_PREFIX
* IMPORT get_storage
* IMPORT browser
* IMPORT is_chrome
* IMPORT is_mozilla
* IMPORT gen_unique
* IMPORT gen_nonce
* IMPORT url_item
* IMPORT url_extract_policy
* IMPORT sign_policy
* IMPORT get_query_best
* IMPORT csp_rule
* IMPORTS_END
*/
var storage;
var query_best;
const csp_header_names = {
"content-security-policy" : true,
"x-webkit-csp" : true,
"x-content-security-policy" : true
};
const header_name = "content-security-policy";
function is_csp_header(header)
{
return !!csp_header_names[header.name.toLowerCase()];
}
function is_our_header(header, rule)
{
return header.value === rule
}
function url_inject(details)
{
const targets = url_extract_policy(details.url);
if (targets.current) {
return;
} else if (targets.policy) {
/* Redirect; update policy */
targets.target = targets.target2;
delete targets.target2
}
let [pattern, settings] = query_best(targets.base_url);
if (!pattern)
/* Defaults */
settings = {};
const policy = encodeURIComponent(
JSON.stringify({
allow: settings.allow,
nonce: gen_nonce(),
base_url: targets.base_url
})
);
let redirect_url = targets.base_url;
redirect_url += '#' + sign_policy(policy, new Date()) + policy;
if (targets.target)
redirect_url += targets.target;
if (targets.target2)
redirect_url += targets.target2;
return {redirectUrl: redirect_url};
}
function inject(details)
{
const targets = url_extract_policy(details.url);
if (!targets.current)
/* Block mis-/unsigned requests */
return {cancel: true};
const rule = csp_rule(targets.policy.nonce);
var headers = details.responseHeaders;
if (!targets.policy.allow || is_mozilla)
/*
* Chrome doesn't have the buggy behavior of caching headers
* we injected. Firefox does and we have to remove it there.
*/
headers = headers.filter(h => !is_csp_header(h));
if (!targets.policy.allow)
headers.push({
name : header_name,
value : rule
});
return {responseHeaders: headers};
}
async function start_policy_injector()
{
storage = await get_storage();
query_best = await get_query_best();
let extra_opts = ["blocking", "responseHeaders"];
if (is_chrome)
extra_opts.push("extraHeaders");
browser.webRequest.onBeforeRequest.addListener(
url_inject,
{
urls: ["<all_urls>"],
types: ["main_frame", "sub_frame"]
},
["blocking"]
);
browser.webRequest.onHeadersReceived.addListener(
inject,
{
urls: ["<all_urls>"],
types: ["main_frame", "sub_frame"]
},
extra_opts
);
}
/*
* EXPORTS_START
* EXPORT start_policy_injector
* EXPORTS_END
*/
|