Revision 014f2a2f
Added by koszko about 2 years ago
background/policy_injector.js | ||
---|---|---|
8 | 8 |
|
9 | 9 |
/* |
10 | 10 |
* IMPORTS_START |
11 |
* IMPORT TYPE_PREFIX |
|
12 | 11 |
* IMPORT get_storage |
13 | 12 |
* IMPORT browser |
14 | 13 |
* IMPORT is_chrome |
15 |
* IMPORT is_mozilla |
|
16 |
* IMPORT gen_unique |
|
17 | 14 |
* IMPORT gen_nonce |
18 | 15 |
* IMPORT is_privileged_url |
19 |
* IMPORT url_item |
|
20 |
* IMPORT url_extract_target |
|
21 |
* IMPORT sign_policy |
|
16 |
* IMPORT sign_data |
|
17 |
* IMPORT extract_signed |
|
22 | 18 |
* IMPORT query_best |
23 | 19 |
* IMPORT sanitize_csp_header |
20 |
* IMPORT csp_rule |
|
24 | 21 |
* IMPORTS_END |
25 | 22 |
*/ |
26 | 23 |
|
... | ... | |
32 | 29 |
"x-content-security-policy" |
33 | 30 |
]); |
34 | 31 |
|
35 |
/* TODO: variable no longer in use; remove if not needed */ |
|
36 |
const unwanted_csp_directives = new Set([ |
|
37 |
"report-to", |
|
38 |
"report-uri", |
|
39 |
"script-src", |
|
40 |
"script-src-elem", |
|
41 |
"prefetch-src" |
|
42 |
]); |
|
43 |
|
|
44 | 32 |
const report_only = "content-security-policy-report-only"; |
45 | 33 |
|
46 |
function url_inject(details)
|
|
34 |
function headers_inject(details)
|
|
47 | 35 |
{ |
48 |
if (is_privileged_url(details.url)) |
|
36 |
console.log("ijnector details", details); |
|
37 |
const url = details.url; |
|
38 |
if (is_privileged_url(url)) |
|
49 | 39 |
return; |
50 | 40 |
|
51 |
const targets = url_extract_target(details.url); |
|
52 |
if (targets.current) |
|
53 |
return; |
|
41 |
const [pattern, settings] = query_best(storage, url); |
|
42 |
const allow = !!(settings && settings.allow); |
|
43 |
const nonce = gen_nonce(); |
|
44 |
const rule = `'nonce-${nonce}'`; |
|
54 | 45 |
|
55 |
/* Redirect; update policy */ |
|
56 |
if (targets.policy) |
|
57 |
targets.target = ""; |
|
58 |
|
|
59 |
let [pattern, settings] = query_best(storage, targets.base_url); |
|
60 |
/* Defaults */ |
|
61 |
if (!pattern) |
|
62 |
settings = {}; |
|
63 |
|
|
64 |
const policy = encodeURIComponent( |
|
65 |
JSON.stringify({ |
|
66 |
allow: settings.allow, |
|
67 |
nonce: gen_nonce(), |
|
68 |
base_url: targets.base_url |
|
69 |
}) |
|
70 |
); |
|
46 |
let orig_csp_headers; |
|
47 |
let old_signature; |
|
48 |
let hachette_header; |
|
49 |
let headers = details.responseHeaders; |
|
71 | 50 |
|
72 |
return { |
|
73 |
redirectUrl: [ |
|
74 |
targets.base_url, |
|
75 |
'#', sign_policy(policy, new Date()), policy, |
|
76 |
targets.target, |
|
77 |
targets.target2 |
|
78 |
].join("") |
|
79 |
}; |
|
80 |
} |
|
51 |
for (const header of headers.filter(h => h.name === "x-hachette")) { |
|
52 |
const match = /^([^%])(%.*)$/.exec(header.value); |
|
53 |
if (!match) |
|
54 |
continue; |
|
81 | 55 |
|
82 |
function headers_inject(details) |
|
83 |
{ |
|
84 |
const targets = url_extract_target(details.url); |
|
85 |
/* Block mis-/unsigned requests */ |
|
86 |
if (!targets.current) |
|
87 |
return {cancel: true}; |
|
88 |
|
|
89 |
let orig_csp_headers = is_chrome ? null : []; |
|
90 |
let headers = []; |
|
91 |
let csp_headers = is_chrome ? headers : []; |
|
92 |
|
|
93 |
const rule = `'nonce-${targets.policy.nonce}'`; |
|
94 |
const block = !targets.policy.allow; |
|
95 |
|
|
96 |
for (const header of details.responseHeaders) { |
|
97 |
if (!csp_header_names.has(header)) { |
|
98 |
/* Remove headers that only snitch on us */ |
|
99 |
if (header.name.toLowerCase() === report_only && block) |
|
100 |
continue; |
|
101 |
headers.push(header); |
|
102 |
|
|
103 |
/* If these are the original CSP headers, use them instead */ |
|
104 |
/* Test based on url_extract_target() in misc.js */ |
|
105 |
if (is_mozilla && header.name === "x-orig-csp") { |
|
106 |
let index = header.value.indexOf('%5B'); |
|
107 |
if (index === -1) |
|
108 |
continue; |
|
109 |
|
|
110 |
let sig = header.value.substring(0, index); |
|
111 |
let data = header.value.substring(index); |
|
112 |
if (sig !== sign_policy(data, 0)) |
|
113 |
continue; |
|
114 |
|
|
115 |
/* Confirmed- it's the originals, smuggled in! */ |
|
116 |
try { |
|
117 |
data = JSON.parse(decodeURIComponent(data)); |
|
118 |
} catch (e) { |
|
119 |
/* This should not be reached - |
|
120 |
it's our self-produced valid JSON. */ |
|
121 |
console.log("Unexpected internal error - invalid JSON smuggled!", e); |
|
122 |
} |
|
123 |
|
|
124 |
orig_csp_headers = csp_headers = null; |
|
125 |
for (const header of data) |
|
126 |
headers.push(sanitize_csp_header(header, rule, block)); |
|
127 |
} |
|
128 |
} else if (is_chrome || !orig_csp_headers) { |
|
129 |
csp_headers.push(sanitize_csp_header(header, rule, block)); |
|
130 |
if (is_mozilla) |
|
131 |
orig_csp_headers.push(header); |
|
132 |
} |
|
56 |
const old_data = extract_signed(...match.splice(1, 2), [[0]]); |
|
57 |
if (!old_data || old_data.url !== url) |
|
58 |
continue; |
|
59 |
|
|
60 |
/* Confirmed- it's the originals, smuggled in! */ |
|
61 |
orig_csp_headers = old_data.csp_headers; |
|
62 |
old_signature = old_data.policy_signature; |
|
63 |
|
|
64 |
hachette_header = header; |
|
65 |
break; |
|
133 | 66 |
} |
134 | 67 |
|
135 |
if (orig_csp_headers) { |
|
136 |
/** Smuggle in the original CSP headers for future use. |
|
137 |
* These are signed with a time of 0, as it's not clear there |
|
138 |
* is a limit on how long Firefox might retain these headers in |
|
139 |
* the cache. |
|
140 |
*/ |
|
141 |
orig_csp_headers = encodeURIComponent(JSON.stringify(orig_csp_headers)); |
|
142 |
headers.push({ |
|
143 |
name: "x-orig-csp", |
|
144 |
value: sign_policy(orig_csp_headers, 0) + orig_csp_headers |
|
145 |
}); |
|
146 |
|
|
147 |
headers = headers.concat(csp_headers); |
|
68 |
if (!hachette_header) { |
|
69 |
hachette_header = {name: "x-hachette"}; |
|
70 |
headers.push(hachette_header); |
|
148 | 71 |
} |
149 | 72 |
|
73 |
orig_csp_headers ||= |
|
74 |
headers.filter(h => csp_header_names.has(h.name.toLowerCase())); |
|
75 |
headers = headers.filter(h => !csp_header_names.has(h.name.toLowerCase())); |
|
76 |
|
|
77 |
/* Remove headers that only snitch on us */ |
|
78 |
if (!allow) |
|
79 |
headers = headers.filter(h => h.name.toLowerCase() !== report_only); |
|
80 |
|
|
81 |
if (old_signature) |
|
82 |
headers = headers.filter(h => h.name.search(old_signature) === -1); |
|
83 |
|
|
84 |
const sanitizer = h => sanitize_csp_header(h, rule, allow); |
|
85 |
headers.push(...orig_csp_headers.map(sanitizer)); |
|
86 |
|
|
87 |
const policy = encodeURIComponent(JSON.stringify({allow, nonce, url})); |
|
88 |
const policy_signature = sign_data(policy, new Date()); |
|
89 |
const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); |
|
90 |
headers.push({ |
|
91 |
name: "Set-Cookie", |
|
92 |
value: `hachette-${policy_signature}=${policy}; Expires=${later_30sec};` |
|
93 |
}); |
|
94 |
|
|
95 |
/* |
|
96 |
* Smuggle in the signature and the original CSP headers for future use. |
|
97 |
* These are signed with a time of 0, as it's not clear there is a limit on |
|
98 |
* how long Firefox might retain headers in the cache. |
|
99 |
*/ |
|
100 |
let hachette_data = {csp_headers: orig_csp_headers, policy_signature, url}; |
|
101 |
hachette_data = encodeURIComponent(JSON.stringify(hachette_data)); |
|
102 |
hachette_header.value = sign_data(hachette_data, 0) + hachette_data; |
|
103 |
|
|
150 | 104 |
/* To ensure there is a CSP header if required */ |
151 |
if (block) { |
|
152 |
headers.push({ |
|
153 |
name: "content-security-policy", |
|
154 |
value: `script-src ${rule}; script-src-elem ${rule}; ` + |
|
155 |
"script-src-attr 'none'; prefetch-src 'none';" |
|
156 |
}); |
|
157 |
} |
|
105 |
if (!allow) |
|
106 |
headers.push({name: "content-security-policy", value: csp_rule(nonce)}); |
|
158 | 107 |
|
159 | 108 |
return {responseHeaders: headers}; |
160 | 109 |
} |
... | ... | |
167 | 116 |
if (is_chrome) |
168 | 117 |
extra_opts.push("extraHeaders"); |
169 | 118 |
|
170 |
browser.webRequest.onBeforeRequest.addListener( |
|
171 |
url_inject, |
|
172 |
{ |
|
173 |
urls: ["<all_urls>"], |
|
174 |
types: ["main_frame", "sub_frame"] |
|
175 |
}, |
|
176 |
["blocking"] |
|
177 |
); |
|
178 |
|
|
179 | 119 |
browser.webRequest.onHeadersReceived.addListener( |
180 | 120 |
headers_inject, |
181 | 121 |
{ |
Also available in: Unified diff
implement smuggling via cookies instead of URL