Revision 5b419aed
Added by jahoti about 2 years ago
| common/misc.js | ||
|---|---|---|
| 173 | 173 |
return directives; |
| 174 | 174 |
} |
| 175 | 175 |
|
| 176 |
/* Make CSP headers do our bidding, not interfere */ |
|
| 177 |
function sanitize_csp_header(header, rule, block) |
|
| 178 |
{
|
|
| 179 |
const csp = parse_csp(header.value); |
|
| 180 |
|
|
| 181 |
if (block) {
|
|
| 182 |
/* No snitching */ |
|
| 183 |
delete csp['report-to']; |
|
| 184 |
delete csp['report-uri']; |
|
| 185 |
|
|
| 186 |
delete csp['script-src']; |
|
| 187 |
delete csp['script-src-elem']; |
|
| 188 |
|
|
| 189 |
csp['script-src-attr'] = ["'none'"]; |
|
| 190 |
csp['prefetch-src'] = ["'none'"]; |
|
| 191 |
} |
|
| 192 |
|
|
| 193 |
if ('script-src' in csp)
|
|
| 194 |
csp['script-src'].push(rule); |
|
| 195 |
else |
|
| 196 |
csp['script-src'] = [rule]; |
|
| 197 |
|
|
| 198 |
if ('script-src-elem' in csp)
|
|
| 199 |
csp['script-src-elem'].push(rule); |
|
| 200 |
else |
|
| 201 |
csp['script-src-elem'] = [rule]; |
|
| 202 |
|
|
| 203 |
const new_policy = Object.entries(csp).map( |
|
| 204 |
i => `${i[0]} ${i[1].join(' ')};`
|
|
| 205 |
); |
|
| 206 |
|
|
| 207 |
return {name: header.name, value: new_policy.join('')};
|
|
| 208 |
} |
|
| 209 |
|
|
| 176 | 210 |
/* |
| 177 | 211 |
* EXPORTS_START |
| 178 | 212 |
* EXPORT gen_nonce |
| ... | ... | |
| 184 | 218 |
* EXPORT nice_name |
| 185 | 219 |
* EXPORT open_in_settings |
| 186 | 220 |
* EXPORT is_privileged_url |
| 187 |
* EXPORT parse_csp
|
|
| 221 |
* EXPORT sanitize_csp_header
|
|
| 188 | 222 |
* EXPORTS_END |
| 189 | 223 |
*/ |
Also available in: Unified diff
[UNTESTED- will test] Add filtering for http-equiv CSP headers