Revision 44e89d8e
Added by koszko almost 2 years ago
| background/policy_injector.js | ||
|---|---|---|
| 10 | 10 |
* IMPORTS_START |
| 11 | 11 |
* IMPORT sign_data |
| 12 | 12 |
* IMPORT extract_signed |
| 13 |
* IMPORT sanitize_csp_header |
|
| 14 |
* IMPORT csp_rule |
|
| 15 |
* IMPORT is_csp_header_name |
|
| 13 |
* IMPORT make_csp_rule |
|
| 14 |
* IMPORT csp_header_regex |
|
| 16 | 15 |
* IMPORTS_END |
| 17 | 16 |
*/ |
| 18 | 17 |
|
| ... | ... | |
| 43 | 42 |
break; |
| 44 | 43 |
} |
| 45 | 44 |
|
| 45 |
if (policy.has_payload) {
|
|
| 46 |
csp_headers = []; |
|
| 47 |
const non_csp_headers = []; |
|
| 48 |
const header_list = |
|
| 49 |
h => csp_header_regex.test(h) ? csp_headers : non_csp_headers; |
|
| 50 |
headers.forEach(h => header_list(h.name).push(h)); |
|
| 51 |
headers = non_csp_headers; |
|
| 52 |
} else {
|
|
| 53 |
headers.push(...csp_headers || []); |
|
| 54 |
} |
|
| 55 |
|
|
| 46 | 56 |
if (!hachette_header) {
|
| 47 | 57 |
hachette_header = {name: "x-hachette"};
|
| 48 | 58 |
headers.push(hachette_header); |
| 49 | 59 |
} |
| 50 | 60 |
|
| 51 |
csp_headers = csp_headers || |
|
| 52 |
headers.filter(h => is_csp_header_name(h.name)); |
|
| 53 |
|
|
| 54 |
/* When blocking remove report-only CSP headers that snitch on us. */ |
|
| 55 |
headers = headers.filter(h => !is_csp_header_name(h.name, !policy.allow)); |
|
| 56 |
|
|
| 57 | 61 |
if (old_signature) |
| 58 | 62 |
headers = headers.filter(h => h.value.search(old_signature) === -1); |
| 59 | 63 |
|
| 60 |
headers.push(...csp_headers.map(h => sanitize_csp_header(h, policy))); |
|
| 61 |
|
|
| 62 | 64 |
const policy_str = encodeURIComponent(JSON.stringify(policy)); |
| 63 | 65 |
const signed_policy = sign_data(policy_str, new Date().getTime()); |
| 64 | 66 |
const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); |
| ... | ... | |
| 76 | 78 |
hachette_data = encodeURIComponent(JSON.stringify(hachette_data)); |
| 77 | 79 |
hachette_header.value = sign_data(hachette_data, 0).join("_");
|
| 78 | 80 |
|
| 79 |
/* To ensure there is a CSP header if required */ |
|
| 80 |
if (!policy.allow) |
|
| 81 |
if (!policy.allow) {
|
|
| 81 | 82 |
headers.push({
|
| 82 | 83 |
name: "content-security-policy", |
| 83 |
value: csp_rule(policy.nonce)
|
|
| 84 |
value: make_csp_rule(policy)
|
|
| 84 | 85 |
}); |
| 86 |
} |
|
| 85 | 87 |
|
| 86 | 88 |
return headers; |
| 87 | 89 |
} |
Also available in: Unified diff
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.