Revision 5dab077b
Added by jahoti about 2 years ago
common/misc.js | ||
---|---|---|
146 | 146 |
return {name: header.name, value: new_csp.join('')}; |
147 | 147 |
} |
148 | 148 |
|
149 |
/* csp rule that blocks all scripts except for those injected by us */ |
|
150 |
function make_csp_rule(policy) |
|
151 |
{ |
|
152 |
let rule = "prefetch-src 'none'; ", nonce = `'nonce-${policy.nonce}'`; |
|
153 |
if (!policy.allow) { |
|
154 |
rule += `script-src ${nonce}; script-src-elem ${nonce}; ` + |
|
155 |
"script-src-attr 'none'; "; |
|
156 |
} |
|
157 |
return rule; |
|
158 |
} |
|
159 |
|
|
149 | 160 |
/* Regexes and objects to use as/in schemas for parse_json_with_schema(). */ |
150 | 161 |
const nonempty_string_matcher = /.+/; |
151 | 162 |
|
... | ... | |
161 | 172 |
/* |
162 | 173 |
* EXPORTS_START |
163 | 174 |
* EXPORT gen_nonce |
164 |
* EXPORT csp_rule |
|
175 |
* EXPORT make_csp_rule
|
|
165 | 176 |
* EXPORT is_csp_header_name |
166 | 177 |
* EXPORT nice_name |
167 | 178 |
* EXPORT open_in_settings |
Also available in: Unified diff
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.