Project

General

Profile

« Previous | Next » 

Revision 5b419aed

Added by jahoti about 2 years ago

[UNTESTED- will test] Add filtering for http-equiv CSP headers

View differences:

background/policy_injector.js
19 19 
 * IMPORT url_extract_target
20 20 
 * IMPORT sign_policy
21 21 
 * IMPORT get_query_best
22 
 * IMPORT parse_csp
22 
 * IMPORT sanitize_csp_header
23 23 
 * IMPORTS_END
24 24 
 */
25 25 

  		




  ......




  79
  79
  
    
    };


  		




  80
  80
  
    
}


  		




  81
  81
  
    

  		




  82
  
  
    
function process_csp_header(header, rule, block)


  		




  83
  
  
    
{


  		




  84
  
  
    
    const csp = parse_csp(header.value);


  		




  85
  
  
    

  		




  86
  
  
    

  		




  87
  
  
    
    if (block) {


  		




  88
  
  
    
	/* No snitching */


  		




  89
  
  
    
	delete csp['report-to'];


  		




  90
  
  
    
	delete csp['report-uri'];


  		




  91
  
  
    
	


  		




  92
  
  
    
	delete csp['script-src'];


  		




  93
  
  
    
	delete csp['script-src-elem'];


  		




  94
  
  
    

  		




  95
  
  
    
	csp['script-src-attr'] = ["'none'"];


  		




  96
  
  
    
	csp['prefetch-src'] = ["'none'"];


  		




  97
  
  
    
    }


  		




  98
  
  
    

  		




  99
  
  
    
    if ('script-src' in csp)


  		




  100
  
  
    
	csp['script-src'].push(rule);


  		




  101
  
  
    
    else


  		




  102
  
  
    
	csp['script-src'] = [rule];


  		




  103
  
  
    

  		




  104
  
  
    
    if ('script-src-elem' in csp)


  		




  105
  
  
    
	csp['script-src-elem'].push(rule);


  		




  106
  
  
    
    else


  		




  107
  
  
    
	csp['script-src-elem'] = [rule];


  		




  108
  
  
    

  		




  109
  
  
    
    const new_policy = Object.entries(csp).map(


  		




  110
  
  
    
	i => `${i[0]} ${i[1].join(' ')};`


  		




  111
  
  
    
    );


  		




  112
  
  
    

  		




  113
  
  
    
    return {name: header.name, value: new_policy.join('')};


  		




  114
  
  
    
}


  		




  115
  
  
    

  		




  116
  82
  
    
function headers_inject(details)


  		




  117
  83
  
    
{


  		




  118
  84
  
    
    const targets = url_extract_target(details.url);


  		




  ......




  157
  123
  
    

  		




  158
  124
  
    
		orig_csp_headers = csp_headers = null;


  		




  159
  125
  
    
		for (const header of data)


  		




  160
  
  
    
		    headers.push(process_csp_header(header, rule, block));


  		




  
  126
  
    
		    headers.push(sanitize_csp_header(header, rule, block));


  		




  161
  127
  
    
	    }


  		




  162
  128
  
    
	} else if (is_chrome || !orig_csp_headers) {


  		




  163
  
  
    
	    csp_headers.push(process_csp_header(header, rule, block));


  		




  
  129
  
    
	    csp_headers.push(sanitize_csp_header(header, rule, block));


  		




  164
  130
  
    
	    if (is_mozilla)


  		




  165
  131
  
    
		orig_csp_headers.push(header);


  		




  166
  132
  
    
	}


  		












Also available in:  Unified diff