Haketilo

/**

 * Myext injecting policy to page using webRequest

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT TYPE_PREFIX

 * IMPORT get_storage

 * IMPORT browser

 * IMPORT is_chrome

 * IMPORT gen_unique

 * IMPORT url_item

 * IMPORT get_query_best

 * IMPORTS_END

 */

var storage;

var query_best;

let csp_header_names = {

    "content-security-policy" : true,

    "x-webkit-csp" : true,

    "x-content-security-policy" : true

};

function is_noncsp_header(header)

{

    return !csp_header_names[header.name.toLowerCase()];

}

function inject(details)

{

    let url = url_item(details.url);

    let [pattern, settings] = query_best(url);

    if (settings !== undefined && settings.allow)

	return {cancel : false};

    let nonce = gen_unique(url).substring(1);

    let headers = details.responseHeaders.filter(is_noncsp_header);

    let rule = `script-src 'nonce-${nonce}';`;

    if (is_chrome)

	rule += `script-src-elem 'nonce-${nonce}';`;

    headers.push({

	name : "content-security-policy",

	value : rule

    });

    return {responseHeaders: headers};

}

async function start_policy_injector()

{

    storage = await get_storage();

    query_best = await get_query_best();

    let extra_opts = ["blocking", "responseHeaders"];

    if (is_chrome)

	extra_opts.push("extraHeaders");

    browser.webRequest.onHeadersReceived.addListener(

	inject,

	{

	    urls: ["<all_urls>"],

	    types: ["main_frame", "sub_frame"]

	},

	extra_opts

    );

}

/*

 * EXPORTS_START

 * EXPORT start_policy_injector

 * EXPORTS_END

 */