Revision 44e89d8e
Added by koszko almost 2 years ago
background/policy_injector.js | ||
---|---|---|
10 | 10 |
* IMPORTS_START |
11 | 11 |
* IMPORT sign_data |
12 | 12 |
* IMPORT extract_signed |
13 |
* IMPORT sanitize_csp_header |
|
14 |
* IMPORT csp_rule |
|
15 |
* IMPORT is_csp_header_name |
|
13 |
* IMPORT make_csp_rule |
|
14 |
* IMPORT csp_header_regex |
|
16 | 15 |
* IMPORTS_END |
17 | 16 |
*/ |
18 | 17 |
|
... | ... | |
43 | 42 |
break; |
44 | 43 |
} |
45 | 44 |
|
45 |
if (policy.has_payload) { |
|
46 |
csp_headers = []; |
|
47 |
const non_csp_headers = []; |
|
48 |
const header_list = |
|
49 |
h => csp_header_regex.test(h) ? csp_headers : non_csp_headers; |
|
50 |
headers.forEach(h => header_list(h.name).push(h)); |
|
51 |
headers = non_csp_headers; |
|
52 |
} else { |
|
53 |
headers.push(...csp_headers || []); |
|
54 |
} |
|
55 |
|
|
46 | 56 |
if (!hachette_header) { |
47 | 57 |
hachette_header = {name: "x-hachette"}; |
48 | 58 |
headers.push(hachette_header); |
49 | 59 |
} |
50 | 60 |
|
51 |
csp_headers = csp_headers || |
|
52 |
headers.filter(h => is_csp_header_name(h.name)); |
|
53 |
|
|
54 |
/* When blocking remove report-only CSP headers that snitch on us. */ |
|
55 |
headers = headers.filter(h => !is_csp_header_name(h.name, !policy.allow)); |
|
56 |
|
|
57 | 61 |
if (old_signature) |
58 | 62 |
headers = headers.filter(h => h.value.search(old_signature) === -1); |
59 | 63 |
|
60 |
headers.push(...csp_headers.map(h => sanitize_csp_header(h, policy))); |
|
61 |
|
|
62 | 64 |
const policy_str = encodeURIComponent(JSON.stringify(policy)); |
63 | 65 |
const signed_policy = sign_data(policy_str, new Date().getTime()); |
64 | 66 |
const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); |
... | ... | |
76 | 78 |
hachette_data = encodeURIComponent(JSON.stringify(hachette_data)); |
77 | 79 |
hachette_header.value = sign_data(hachette_data, 0).join("_"); |
78 | 80 |
|
79 |
/* To ensure there is a CSP header if required */ |
|
80 |
if (!policy.allow) |
|
81 |
if (!policy.allow) { |
|
81 | 82 |
headers.push({ |
82 | 83 |
name: "content-security-policy", |
83 |
value: csp_rule(policy.nonce)
|
|
84 |
value: make_csp_rule(policy)
|
|
84 | 85 |
}); |
86 |
} |
|
85 | 87 |
|
86 | 88 |
return headers; |
87 | 89 |
} |
Also available in: Unified diff
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.