1
|
/**
|
2
|
* Myext injecting policy to page using webRequest
|
3
|
*
|
4
|
* Copyright (C) 2021 Wojtek Kosior
|
5
|
* Redistribution terms are gathered in the `copyright' file.
|
6
|
*/
|
7
|
|
8
|
/*
|
9
|
* IMPORTS_START
|
10
|
* IMPORT TYPE_PREFIX
|
11
|
* IMPORT get_storage
|
12
|
* IMPORT browser
|
13
|
* IMPORT is_chrome
|
14
|
* IMPORT gen_unique
|
15
|
* IMPORT url_item
|
16
|
* IMPORT get_query_best
|
17
|
* IMPORTS_END
|
18
|
*/
|
19
|
|
20
|
var storage;
|
21
|
var query_best;
|
22
|
|
23
|
let csp_header_names = {
|
24
|
"content-security-policy" : true,
|
25
|
"x-webkit-csp" : true,
|
26
|
"x-content-security-policy" : true
|
27
|
};
|
28
|
|
29
|
function is_noncsp_header(header)
|
30
|
{
|
31
|
return !csp_header_names[header.name.toLowerCase()];
|
32
|
}
|
33
|
|
34
|
function inject(details)
|
35
|
{
|
36
|
let url = url_item(details.url);
|
37
|
|
38
|
let [pattern, settings] = query_best(url);
|
39
|
|
40
|
if (settings !== undefined && settings.allow)
|
41
|
return {cancel : false};
|
42
|
|
43
|
let nonce = gen_unique(url).substring(1);
|
44
|
let headers = details.responseHeaders.filter(is_noncsp_header);
|
45
|
|
46
|
let rule = `script-src 'nonce-${nonce}';`;
|
47
|
if (is_chrome)
|
48
|
rule += `script-src-elem 'nonce-${nonce}';`;
|
49
|
|
50
|
headers.push({
|
51
|
name : "content-security-policy",
|
52
|
value : rule
|
53
|
});
|
54
|
|
55
|
return {responseHeaders: headers};
|
56
|
}
|
57
|
|
58
|
async function start_policy_injector()
|
59
|
{
|
60
|
storage = await get_storage();
|
61
|
query_best = await get_query_best();
|
62
|
|
63
|
let extra_opts = ["blocking", "responseHeaders"];
|
64
|
if (is_chrome)
|
65
|
extra_opts.push("extraHeaders");
|
66
|
|
67
|
browser.webRequest.onHeadersReceived.addListener(
|
68
|
inject,
|
69
|
{
|
70
|
urls: ["<all_urls>"],
|
71
|
types: ["main_frame", "sub_frame"]
|
72
|
},
|
73
|
extra_opts
|
74
|
);
|
75
|
}
|
76
|
|
77
|
/*
|
78
|
* EXPORTS_START
|
79
|
* EXPORT start_policy_injector
|
80
|
* EXPORTS_END
|
81
|
*/
|