Revision 44e89d8e
Added by koszko almost 2 years ago
common/misc.js | ||
---|---|---|
43 | 43 |
return Uint8toHex(randomData); |
44 | 44 |
} |
45 | 45 |
|
46 |
/* csp rule that blocks all scripts except for those injected by us */
|
|
47 |
function csp_rule(nonce)
|
|
46 |
/* CSP rule that blocks scripts according to policy's needs. */
|
|
47 |
function make_csp_rule(policy)
|
|
48 | 48 |
{ |
49 |
const rule = `'nonce-${nonce}'`; |
|
50 |
return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`; |
|
49 |
let rule = "prefetch-src 'none'; script-src-attr 'none';"; |
|
50 |
const script_src = policy.has_payload ? |
|
51 |
`'nonce-${policy.nonce}'` : "'none'"; |
|
52 |
rule += ` script-src ${script_src}; script-src-elem ${script_src};`; |
|
53 |
return rule; |
|
51 | 54 |
} |
52 | 55 |
|
53 | 56 |
/* Check if some HTTP header might define CSP rules. */ |
54 |
const csp_header_names = new Set([ |
|
55 |
"content-security-policy", |
|
56 |
"x-webkit-csp", |
|
57 |
"x-content-security-policy" |
|
58 |
]); |
|
59 |
|
|
60 |
const report_only_header_name = "content-security-policy-report-only"; |
|
61 |
|
|
62 |
function is_csp_header_name(string, include_report_only) |
|
63 |
{ |
|
64 |
string = string && string.toLowerCase().trim() || ""; |
|
65 |
|
|
66 |
return (include_report_only && string === report_only_header_name) || |
|
67 |
csp_header_names.has(string); |
|
68 |
} |
|
57 |
const csp_header_regex = |
|
58 |
/^\s*(content-security-policy|x-webkit-csp|x-content-security-policy)/i; |
|
69 | 59 |
|
70 | 60 |
/* |
71 | 61 |
* Print item together with type, e.g. |
... | ... | |
111 | 101 |
return directives; |
112 | 102 |
} |
113 | 103 |
|
114 |
/* Make CSP headers do our bidding, not interfere */ |
|
115 |
function sanitize_csp_header(header, policy) |
|
116 |
{ |
|
117 |
const rule = `'nonce-${policy.nonce}'`; |
|
118 |
const csp = parse_csp(header.value); |
|
119 |
|
|
120 |
if (!policy.allow) { |
|
121 |
/* No snitching */ |
|
122 |
delete csp['report-to']; |
|
123 |
delete csp['report-uri']; |
|
124 |
|
|
125 |
delete csp['script-src']; |
|
126 |
delete csp['script-src-elem']; |
|
127 |
|
|
128 |
csp['script-src-attr'] = ["'none'"]; |
|
129 |
csp['prefetch-src'] = ["'none'"]; |
|
130 |
} |
|
131 |
|
|
132 |
if ('script-src' in csp) |
|
133 |
csp['script-src'].push(rule); |
|
134 |
else |
|
135 |
csp['script-src'] = [rule]; |
|
136 |
|
|
137 |
if ('script-src-elem' in csp) |
|
138 |
csp['script-src-elem'].push(rule); |
|
139 |
else |
|
140 |
csp['script-src-elem'] = [rule]; |
|
141 |
|
|
142 |
const new_csp = Object.entries(csp).map( |
|
143 |
i => `${i[0]} ${i[1].join(' ')};` |
|
144 |
); |
|
145 |
|
|
146 |
return {name: header.name, value: new_csp.join('')}; |
|
147 |
} |
|
148 |
|
|
149 | 104 |
/* Regexes and objects to use as/in schemas for parse_json_with_schema(). */ |
150 | 105 |
const nonempty_string_matcher = /.+/; |
151 | 106 |
|
... | ... | |
161 | 116 |
/* |
162 | 117 |
* EXPORTS_START |
163 | 118 |
* EXPORT gen_nonce |
164 |
* EXPORT csp_rule |
|
165 |
* EXPORT is_csp_header_name
|
|
119 |
* EXPORT make_csp_rule
|
|
120 |
* EXPORT csp_header_regex
|
|
166 | 121 |
* EXPORT nice_name |
167 | 122 |
* EXPORT open_in_settings |
168 | 123 |
* EXPORT is_privileged_url |
169 |
* EXPORT sanitize_csp_header |
|
170 | 124 |
* EXPORT matchers |
171 | 125 |
* EXPORTS_END |
172 | 126 |
*/ |
Also available in: Unified diff
simplify CSP handling
All page's CSP rules are now removed when a payload is to be injected. When there is no payload, CSP rules are not modified but only supplemented with Hachette's own.