Revision 5dab077b
Added by jahoti about 2 years ago
| common/misc.js | ||
|---|---|---|
| 146 | 146 |
return {name: header.name, value: new_csp.join('')};
|
| 147 | 147 |
} |
| 148 | 148 |
|
| 149 |
/* csp rule that blocks all scripts except for those injected by us */ |
|
| 150 |
function make_csp_rule(policy) |
|
| 151 |
{
|
|
| 152 |
let rule = "prefetch-src 'none'; ", nonce = `'nonce-${policy.nonce}'`;
|
|
| 153 |
if (!policy.allow) {
|
|
| 154 |
rule += `script-src ${nonce}; script-src-elem ${nonce}; ` +
|
|
| 155 |
"script-src-attr 'none'; "; |
|
| 156 |
} |
|
| 157 |
return rule; |
|
| 158 |
} |
|
| 159 |
|
|
| 149 | 160 |
/* Regexes and objects to use as/in schemas for parse_json_with_schema(). */ |
| 150 | 161 |
const nonempty_string_matcher = /.+/; |
| 151 | 162 |
|
| ... | ... | |
| 161 | 172 |
/* |
| 162 | 173 |
* EXPORTS_START |
| 163 | 174 |
* EXPORT gen_nonce |
| 164 |
* EXPORT csp_rule |
|
| 175 |
* EXPORT make_csp_rule
|
|
| 165 | 176 |
* EXPORT is_csp_header_name |
| 166 | 177 |
* EXPORT nice_name |
| 167 | 178 |
* EXPORT open_in_settings |
Also available in: Unified diff
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.