Revision 5b419aed
Added by jahoti about 2 years ago
background/policy_injector.js | ||
---|---|---|
19 | 19 |
* IMPORT url_extract_target |
20 | 20 |
* IMPORT sign_policy |
21 | 21 |
* IMPORT get_query_best |
22 |
* IMPORT parse_csp
|
|
22 |
* IMPORT sanitize_csp_header
|
|
23 | 23 |
* IMPORTS_END |
24 | 24 |
*/ |
25 | 25 |
|
... | ... | |
79 | 79 |
}; |
80 | 80 |
} |
81 | 81 |
|
82 |
function process_csp_header(header, rule, block) |
|
83 |
{ |
|
84 |
const csp = parse_csp(header.value); |
|
85 |
|
|
86 |
|
|
87 |
if (block) { |
|
88 |
/* No snitching */ |
|
89 |
delete csp['report-to']; |
|
90 |
delete csp['report-uri']; |
|
91 |
|
|
92 |
delete csp['script-src']; |
|
93 |
delete csp['script-src-elem']; |
|
94 |
|
|
95 |
csp['script-src-attr'] = ["'none'"]; |
|
96 |
csp['prefetch-src'] = ["'none'"]; |
|
97 |
} |
|
98 |
|
|
99 |
if ('script-src' in csp) |
|
100 |
csp['script-src'].push(rule); |
|
101 |
else |
|
102 |
csp['script-src'] = [rule]; |
|
103 |
|
|
104 |
if ('script-src-elem' in csp) |
|
105 |
csp['script-src-elem'].push(rule); |
|
106 |
else |
|
107 |
csp['script-src-elem'] = [rule]; |
|
108 |
|
|
109 |
const new_policy = Object.entries(csp).map( |
|
110 |
i => `${i[0]} ${i[1].join(' ')};` |
|
111 |
); |
|
112 |
|
|
113 |
return {name: header.name, value: new_policy.join('')}; |
|
114 |
} |
|
115 |
|
|
116 | 82 |
function headers_inject(details) |
117 | 83 |
{ |
118 | 84 |
const targets = url_extract_target(details.url); |
... | ... | |
157 | 123 |
|
158 | 124 |
orig_csp_headers = csp_headers = null; |
159 | 125 |
for (const header of data) |
160 |
headers.push(process_csp_header(header, rule, block));
|
|
126 |
headers.push(sanitize_csp_header(header, rule, block));
|
|
161 | 127 |
} |
162 | 128 |
} else if (is_chrome || !orig_csp_headers) { |
163 |
csp_headers.push(process_csp_header(header, rule, block));
|
|
129 |
csp_headers.push(sanitize_csp_header(header, rule, block));
|
|
164 | 130 |
if (is_mozilla) |
165 | 131 |
orig_csp_headers.push(header); |
166 | 132 |
} |
Also available in: Unified diff
[UNTESTED- will test] Add filtering for http-equiv CSP headers