Revision 2875397f
Added by koszko about 2 years ago
content/main.js | ||
---|---|---|
32 | 32 |
} |
33 | 33 |
|
34 | 34 |
if (!is_privileged_url(document.URL)) { |
35 |
const reductor = |
|
36 |
(ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig]; |
|
37 |
const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)]; |
|
38 |
let [policy, signature] = matches.reduce(reductor, []); |
|
35 |
/* Signature valid for half an hour. */ |
|
36 |
const min_time = new Date().getTime() - 1800 * 1000; |
|
37 |
let best_result = {time: -1}; |
|
38 |
let policy = null; |
|
39 |
const extracted_signatures = []; |
|
40 |
for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) { |
|
41 |
const new_result = extract_signed(...match.slice(1, 3)); |
|
42 |
if (new_result.fail) |
|
43 |
continue; |
|
39 | 44 |
|
40 |
if (!policy || policy.url !== document.URL) { |
|
41 |
console.log("WARNING! Using default policy!!!"); |
|
45 |
extracted_signatures.push(match[1]); |
|
46 |
|
|
47 |
if (new_result.time < Math.max(min_time, best_result.time)) |
|
48 |
continue; |
|
49 |
|
|
50 |
/* This should succeed - it's our self-produced valid JSON. */ |
|
51 |
const new_policy = JSON.parse(decodeURIComponent(new_result.data)); |
|
52 |
if (new_policy.url !== document.URL) |
|
53 |
continue; |
|
54 |
|
|
55 |
best_result = new_result; |
|
56 |
policy = new_policy; |
|
57 |
} |
|
58 |
|
|
59 |
if (!policy) { |
|
60 |
console.warn("WARNING! Using default policy!!!"); |
|
42 | 61 |
policy = {allow: false, nonce: gen_nonce()}; |
43 | 62 |
} |
44 | 63 |
|
45 |
if (signature)
|
|
64 |
for (const signature of extracted_signatures)
|
|
46 | 65 |
document.cookie = `hachette-${signature}=; Max-Age=-1;`; |
47 | 66 |
|
48 | 67 |
handle_page_actions(policy.nonce); |
Also available in: Unified diff
improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.