Revision 5b419aed
Added by jahoti about 2 years ago
common/misc.js | ||
---|---|---|
173 | 173 |
return directives; |
174 | 174 |
} |
175 | 175 |
|
176 |
/* Make CSP headers do our bidding, not interfere */ |
|
177 |
function sanitize_csp_header(header, rule, block) |
|
178 |
{ |
|
179 |
const csp = parse_csp(header.value); |
|
180 |
|
|
181 |
if (block) { |
|
182 |
/* No snitching */ |
|
183 |
delete csp['report-to']; |
|
184 |
delete csp['report-uri']; |
|
185 |
|
|
186 |
delete csp['script-src']; |
|
187 |
delete csp['script-src-elem']; |
|
188 |
|
|
189 |
csp['script-src-attr'] = ["'none'"]; |
|
190 |
csp['prefetch-src'] = ["'none'"]; |
|
191 |
} |
|
192 |
|
|
193 |
if ('script-src' in csp) |
|
194 |
csp['script-src'].push(rule); |
|
195 |
else |
|
196 |
csp['script-src'] = [rule]; |
|
197 |
|
|
198 |
if ('script-src-elem' in csp) |
|
199 |
csp['script-src-elem'].push(rule); |
|
200 |
else |
|
201 |
csp['script-src-elem'] = [rule]; |
|
202 |
|
|
203 |
const new_policy = Object.entries(csp).map( |
|
204 |
i => `${i[0]} ${i[1].join(' ')};` |
|
205 |
); |
|
206 |
|
|
207 |
return {name: header.name, value: new_policy.join('')}; |
|
208 |
} |
|
209 |
|
|
176 | 210 |
/* |
177 | 211 |
* EXPORTS_START |
178 | 212 |
* EXPORT gen_nonce |
... | ... | |
184 | 218 |
* EXPORT nice_name |
185 | 219 |
* EXPORT open_in_settings |
186 | 220 |
* EXPORT is_privileged_url |
187 |
* EXPORT parse_csp
|
|
221 |
* EXPORT sanitize_csp_header
|
|
188 | 222 |
* EXPORTS_END |
189 | 223 |
*/ |
Also available in: Unified diff
[UNTESTED- will test] Add filtering for http-equiv CSP headers