Revision 12fd4fc3
Added by koszko about 2 years ago
| TODOS.org | ||
|---|---|---|
| 47 | 47 |
(e.g. file:// and ftp://) |
| 48 | 48 |
- Process HTML files in data: URLs instead of just blocking them |
| 49 | 49 |
- improve CSP injection for pathological cases like <script> before <head> |
| 50 |
- Fix FF script blocking and whitelisting (FF seems to be by itself repeatedly |
|
| 51 |
injecting CSP headers that were injected once, this makes it impossible to |
|
| 52 |
whielist site that was unwhitelisted before; FF also seems to be removing our |
|
| 53 |
injected script's nonce for no reason 🙁) |
|
| 54 | 50 |
|
| 55 | 51 |
DONE: |
| 52 |
- Fix FF script whitelisting (FF seems to be by itself repeatedly -- DONE 2021-06-30 |
|
| 53 |
injecting CSP headers that were injected once, this made it impossible to |
|
| 54 |
whielist site that was unwhitelisted before) |
|
| 56 | 55 |
- find out if we can successfully use CSP to block file:// under FF -- DONE 2021-06-30 |
| 57 | 56 |
- come up with own simple DSL to manage imports/exports -- DONE 2021-06-30 |
| 58 | 57 |
- add some mechanism to build the extension -- DONE 2021-06-30 |
| background/policy_injector.js | ||
|---|---|---|
| 21 | 21 |
var storage; |
| 22 | 22 |
var query_best; |
| 23 | 23 |
|
| 24 |
let csp_header_names = {
|
|
| 24 |
const csp_header_names = {
|
|
| 25 | 25 |
"content-security-policy" : true, |
| 26 | 26 |
"x-webkit-csp" : true, |
| 27 | 27 |
"x-content-security-policy" : true |
| 28 | 28 |
}; |
| 29 | 29 |
|
| 30 |
function is_noncsp_header(header) |
|
| 30 |
const header_name = "content-security-policy"; |
|
| 31 |
|
|
| 32 |
function is_csp_header(header) |
|
| 33 |
{
|
|
| 34 |
return !!csp_header_names[header.name.toLowerCase()]; |
|
| 35 |
} |
|
| 36 |
|
|
| 37 |
function is_our_header(header, rule) |
|
| 31 | 38 |
{
|
| 32 |
return !csp_header_names[header.name.toLowerCase()];
|
|
| 39 |
return header.value === rule
|
|
| 33 | 40 |
} |
| 34 | 41 |
|
| 35 | 42 |
function inject(details) |
| 36 | 43 |
{
|
| 37 |
let url = url_item(details.url); |
|
| 44 |
const url = url_item(details.url); |
|
| 45 |
|
|
| 46 |
const [pattern, settings] = query_best(url); |
|
| 47 |
|
|
| 48 |
const nonce = gen_unique(url); |
|
| 49 |
const rule = csp_rule(nonce); |
|
| 38 | 50 |
|
| 39 |
let [pattern, settings] = query_best(url);
|
|
| 51 |
var headers;
|
|
| 40 | 52 |
|
| 41 |
if (settings !== undefined && settings.allow) |
|
| 42 |
return {cancel : false};
|
|
| 53 |
if (settings !== undefined && settings.allow) {
|
|
| 54 |
/* |
|
| 55 |
* Chrome doesn't have the buggy behavior of repeatedly injecting a |
|
| 56 |
* header we injected once. Firefox does and we have to remove it there. |
|
| 57 |
*/ |
|
| 58 |
if (is_chrome) |
|
| 59 |
return {cancel: false};
|
|
| 43 | 60 |
|
| 44 |
let nonce = gen_unique(url); |
|
| 45 |
let headers = details.responseHeaders.filter(is_noncsp_header); |
|
| 61 |
headers = details.responseHeaders.filter(h => !is_our_header(h, rule)); |
|
| 62 |
} else {
|
|
| 63 |
headers = details.responseHeaders.filter(h => !is_csp_header(h)); |
|
| 46 | 64 |
|
| 47 |
headers.push({
|
|
| 48 |
name : "content-security-policy", |
|
| 49 |
value : csp_rule(nonce) |
|
| 50 |
}); |
|
| 65 |
headers.push({
|
|
| 66 |
name : header_name, |
|
| 67 |
value : rule |
|
| 68 |
}); |
|
| 69 |
} |
|
| 51 | 70 |
|
| 52 | 71 |
return {responseHeaders: headers};
|
| 53 | 72 |
} |
Also available in: Unified diff
fix whitelisting under Firefox