Project

General

Profile

« Previous | Next » 

Revision 014f2a2f

Added by koszko about 2 years ago

implement smuggling via cookies instead of URL

View differences:

common/misc.js
45 45 
    return Uint8toHex(randomData);
46 46 
}
47 47 

  		




  48
  
  
    
function gen_unique(url)


  		




  49
  
  
    
{


  		




  50
  
  
    
    return sha256(get_secure_salt() + url);


  		




  51
  
  
    
}


  		




  52
  
  
    

  		




  53
  48
  
    
function get_secure_salt()


  		




  54
  49
  
    
{


  		




  55
  50
  
    
    if (is_chrome)


  		




  ......




  58
  53
  
    
	return browser.runtime.getURL("dummy");


  		




  59
  54
  
    
}


  		




  60
  55
  
    

  		




  61
  
  
    
/*


  		




  62
  
  
    
 * stripping url from query and target (everything after `#' or `?'


  		




  63
  
  
    
 * gets removed)


  		




  64
  
  
    
 */


  		




  65
  
  
    
function url_item(url)


  		




  66
  
  
    
{


  		




  67
  
  
    
    let url_re = /^([^?#]*).*$/;


  		




  68
  
  
    
    let match = url_re.exec(url);


  		




  69
  
  
    
    return match[1];


  		




  70
  
  
    
}


  		




  71
  
  
    

  		




  72
  
  
    
/*


  		




  73
  
  
    
 * Assume a url like:


  		




  74
  
  
    
 *     https://example.com/green?illuminati=confirmed#<injected-policy>#winky


  		




  75
  
  
    
 * This function will make it into an object like:


  		




  76
  
  
    
 * {


  		




  77
  
  
    
 *     "base_url": "https://example.com/green?illuminati=confirmed",


  		




  78
  
  
    
 *     "target":   "#<injected-policy>",


  		




  79
  
  
    
 *     "target2":  "#winky",


  		




  80
  
  
    
 *     "policy":   <injected-policy-as-js-object>,


  		




  81
  
  
    
 *     "current":  <boolean-indicating-whether-policy-url-matches>


  		




  82
  
  
    
 * }


  		




  83
  
  
    
 * In case url doesn't have 2 #'s, target2 and target can be set to undefined.


  		




  84
  
  
    
 */


  		




  85
  
  
    
function url_extract_target(url)


  		




  
  56
  
    
function extract_signed(signature, data, times)


  		




  86
  57
  
    
{


  		




  87
  
  
    
    const url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;


  		




  88
  
  
    
    const match = url_re.exec(url);


  		




  89
  
  
    
    const targets  = {


  		




  90
  
  
    
	base_url: match[1],


  		




  91
  
  
    
	target:   match[3] || "",


  		




  92
  
  
    
	target2:  match[4] || ""


  		




  93
  
  
    
    };


  		




  94
  
  
    
    if (!targets.target)


  		




  95
  
  
    
	return targets;


  		




  96
  
  
    

  		




  97
  
  
    
    /* %7B -> { */


  		




  98
  
  
    
    const index = targets.target.indexOf('%7B');


  		




  99
  
  
    
    if (index === -1)


  		




  100
  
  
    
	return targets;


  		




  101
  
  
    

  		




  102
  58
  
    
    const now = new Date();


  		




  103
  
  
    
    const sig = targets.target.substring(1, index);


  		




  104
  
  
    
    const policy = targets.target.substring(index);


  		




  105
  
  
    
    if (sig !== sign_policy(policy, now) &&


  		




  106
  
  
    
	sig !== sign_policy(policy, now, -1))


  		




  107
  
  
    
	return targets;


  		




  
  59
  
    
    times ||= [[now], [now, -1]];


  		




  
  60
  
    

  		




  
  61
  
    
    const reductor =


  		




  
  62
  
    
	  (ok, time) => ok || signature === sign_data(data, ...time);


  		




  
  63
  
    
    if (!times.reduce(reductor, false))


  		




  
  64
  
    
	return undefined;


  		




  108
  65
  
    

  		




  109
  66
  
    
    try {


  		




  110
  
  
    
	targets.policy = JSON.parse(decodeURIComponent(policy));


  		




  111
  
  
    
	targets.current = targets.policy.base_url === targets.base_url;


  		




  
  67
  
    
	return JSON.parse(decodeURIComponent(data));


  		




  112
  68
  
    
    } catch (e) {


  		




  113
  69
  
    
	/* This should not be reached - it's our self-produced valid JSON. */


  		




  114
  70
  
    
	console.log("Unexpected internal error - invalid JSON smuggled!", e);


  		




  115
  71
  
    
    }


  		




  116
  
  
    

  		




  117
  
  
    
    return targets;


  		




  118
  72
  
    
}


  		




  119
  73
  
    

  		




  120
  74
  
    
/* csp rule that blocks all scripts except for those injected by us */


  		




  121
  75
  
    
function csp_rule(nonce)


  		




  122
  76
  
    
{


  		




  123
  
  
    
    let rule = `script-src 'nonce-${nonce}';`;


  		




  124
  
  
    
    if (is_chrome)


  		




  125
  
  
    
	rule += `script-src-elem 'nonce-${nonce}';`;


  		




  126
  
  
    
    return rule;


  		




  
  77
  
    
    const rule = `'nonce-${nonce}'`;


  		




  
  78
  
    
    return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;


  		




  127
  79
  
    
}


  		




  128
  80
  
    

  		




  129
  81
  
    
/*


  		




  ......




  149
  101
  
    
    return !!/^(chrome(-extension)?|moz-extension):\/\/|^about:/i.exec(url);


  		




  150
  102
  
    
}


  		




  151
  103
  
    

  		




  152
  
  
    
/* Sign a given policy for a given time */


  		




  153
  
  
    
function sign_policy(policy, now, hours_offset) {


  		




  
  104
  
    
/* Sign a given string for a given time */


  		




  
  105
  
    
function sign_data(data, now, hours_offset) {


  		




  154
  106
  
    
    let time = Math.floor(now / 3600000) + (hours_offset || 0);


  		




  155
  
  
    
    return gen_unique(time + policy);


  		




  
  107
  
    
    return sha256(get_secure_salt() + time + data);


  		




  156
  108
  
    
}


  		




  157
  109
  
    

  		




  158
  110
  
    
/* Parse a CSP header */


  		




  ......




  175
  127
  
    
}


  		




  176
  128
  
    

  		




  177
  129
  
    
/* Make CSP headers do our bidding, not interfere */


  		




  178
  
  
    
function sanitize_csp_header(header, rule, block)


  		




  
  130
  
    
function sanitize_csp_header(header, rule, allow)


  		




  179
  131
  
    
{


  		




  180
  132
  
    
    const csp = parse_csp(header.value);


  		




  181
  133
  
    

  		




  182
  
  
    
    if (block) {


  		




  
  134
  
    
    if (!allow) {


  		




  183
  135
  
    
	/* No snitching */


  		




  184
  136
  
    
	delete csp['report-to'];


  		




  185
  137
  
    
	delete csp['report-uri'];


  		




  ......




  223
  175
  
    
/*


  		




  224
  176
  
    
 * EXPORTS_START


  		




  225
  177
  
    
 * EXPORT gen_nonce


  		




  226
  
  
    
 * EXPORT gen_unique


  		




  227
  
  
    
 * EXPORT url_item


  		




  228
  
  
    
 * EXPORT url_extract_target


  		




  229
  
  
    
 * EXPORT sign_policy


  		




  
  178
  
    
 * EXPORT extract_signed


  		




  
  179
  
    
 * EXPORT sign_data


  		




  230
  180
  
    
 * EXPORT csp_rule


  		




  231
  181
  
    
 * EXPORT nice_name


  		




  232
  182
  
    
 * EXPORT open_in_settings


  		












Also available in:  Unified diff