Revision 25817b68
Added by jahoti about 2 years ago
| background/policy_injector.js | ||
|---|---|---|
| 83 | 83 |
{
|
| 84 | 84 |
const csp = parse_csp(header.value); |
| 85 | 85 |
|
| 86 |
/* No snitching */ |
|
| 87 |
delete csp['report-to']; |
|
| 88 |
delete csp['report-uri']; |
|
| 89 | 86 |
|
| 90 | 87 |
if (block) {
|
| 88 |
/* No snitching */ |
|
| 89 |
delete csp['report-to']; |
|
| 90 |
delete csp['report-uri']; |
|
| 91 |
|
|
| 91 | 92 |
delete csp['script-src']; |
| 92 | 93 |
delete csp['script-src-elem']; |
| 94 |
|
|
| 93 | 95 |
csp['script-src-attr'] = ["'none'"]; |
| 94 | 96 |
csp['prefetch-src'] = ["'none'"]; |
| 95 | 97 |
} |
| ... | ... | |
| 127 | 129 |
|
| 128 | 130 |
for (const header of details.responseHeaders) {
|
| 129 | 131 |
if (!csp_header_names.has(header)) {
|
| 130 |
/* Retain all non-snitching headers */ |
|
| 131 |
if (header.name.toLowerCase() !== report_only) {
|
|
| 132 |
headers.push(header); |
|
| 133 |
|
|
| 134 |
/* If these are the original CSP headers, use them instead */ |
|
| 135 |
/* Test based on url_extract_target() in misc.js */ |
|
| 136 |
if (is_mozilla && header.name === "x-orig-csp") {
|
|
| 137 |
let index = header.value.indexOf('%5B');
|
|
| 138 |
if (index === -1) |
|
| 139 |
continue; |
|
| 140 |
|
|
| 141 |
let sig = header.value.substring(0, index); |
|
| 142 |
let data = header.value.substring(index); |
|
| 143 |
if (sig !== sign_policy(data, 0)) |
|
| 144 |
continue; |
|
| 145 |
|
|
| 146 |
/* Confirmed- it's the originals, smuggled in! */ |
|
| 147 |
try {
|
|
| 148 |
data = JSON.parse(decodeURIComponent(data)); |
|
| 149 |
} catch (e) {
|
|
| 150 |
/* This should not be reached - |
|
| 151 |
it's our self-produced valid JSON. */ |
|
| 152 |
console.log("Unexpected internal error - invalid JSON smuggled!", e);
|
|
| 153 |
} |
|
| 154 |
|
|
| 155 |
orig_csp_headers = csp_headers = null; |
|
| 156 |
for (const header of data) |
|
| 157 |
headers.push(process_csp_header(header, rule, block)); |
|
| 132 |
/* Remove headers that only snitch on us */ |
|
| 133 |
if (header.name.toLowerCase() === report_only && block) |
|
| 134 |
continue; |
|
| 135 |
headers.push(header); |
|
| 136 |
|
|
| 137 |
/* If these are the original CSP headers, use them instead */ |
|
| 138 |
/* Test based on url_extract_target() in misc.js */ |
|
| 139 |
if (is_mozilla && header.name === "x-orig-csp") {
|
|
| 140 |
let index = header.value.indexOf('%5B');
|
|
| 141 |
if (index === -1) |
|
| 142 |
continue; |
|
| 143 |
|
|
| 144 |
let sig = header.value.substring(0, index); |
|
| 145 |
let data = header.value.substring(index); |
|
| 146 |
if (sig !== sign_policy(data, 0)) |
|
| 147 |
continue; |
|
| 148 |
|
|
| 149 |
/* Confirmed- it's the originals, smuggled in! */ |
|
| 150 |
try {
|
|
| 151 |
data = JSON.parse(decodeURIComponent(data)); |
|
| 152 |
} catch (e) {
|
|
| 153 |
/* This should not be reached - |
|
| 154 |
it's our self-produced valid JSON. */ |
|
| 155 |
console.log("Unexpected internal error - invalid JSON smuggled!", e);
|
|
| 158 | 156 |
} |
| 159 |
} |
|
| 160 | 157 |
|
| 161 |
continue; |
|
| 158 |
orig_csp_headers = csp_headers = null; |
|
| 159 |
for (const header of data) |
|
| 160 |
headers.push(process_csp_header(header, rule, block)); |
|
| 161 |
} |
|
| 162 |
} else if (is_chrome || !orig_csp_headers) {
|
|
| 163 |
csp_headers.push(process_csp_header(header, rule, block)); |
|
| 164 |
if (is_mozilla) |
|
| 165 |
orig_csp_headers.push(header); |
|
| 162 | 166 |
} |
| 163 |
if (is_mozilla && !orig_csp_headers) |
|
| 164 |
continue; |
|
| 165 |
|
|
| 166 |
csp_headers.push(process_csp_header(header, rule, block)); |
|
| 167 |
if (is_mozilla) |
|
| 168 |
orig_csp_headers.push(header); |
|
| 169 | 167 |
} |
| 170 | 168 |
|
| 171 | 169 |
if (orig_csp_headers) {
|
Also available in: Unified diff
Rationalize CSP violation report blocking.
Report blocking now applies iff scripts are blocked.