Revision 5dab077b
Added by jahoti about 2 years ago
content/main.js | ||
---|---|---|
17 | 17 |
* IMPORT is_chrome |
18 | 18 |
* IMPORT is_mozilla |
19 | 19 |
* IMPORT start_activity_info_server |
20 |
* IMPORT csp_rule |
|
20 |
* IMPORT make_csp_rule
|
|
21 | 21 |
* IMPORT is_csp_header_name |
22 | 22 |
* IMPORT sanitize_csp_header |
23 | 23 |
* IMPORTS_END |
... | ... | |
175 | 175 |
return; |
176 | 176 |
|
177 | 177 |
block_attribute(meta, "content"); |
178 |
|
|
179 |
if (is_csp_header_name(http_equiv, false)) |
|
180 |
meta.content = sanitize_csp_header({value}, policy).value; |
|
181 | 178 |
} |
182 | 179 |
|
183 | 180 |
function sanitize_script(script) |
... | ... | |
204 | 201 |
{ |
205 | 202 |
const meta = doc.createElement("meta"); |
206 | 203 |
meta.setAttribute("http-equiv", "Content-Security-Policy"); |
207 |
meta.setAttribute("content", csp_rule(policy.nonce));
|
|
204 |
meta.setAttribute("content", make_csp_rule(policy));
|
|
208 | 205 |
doc.head.append(meta); |
209 | 206 |
/* CSP is already in effect, we can remove the <meta> now. */ |
210 | 207 |
meta.remove(); |
... | ... | |
240 | 237 |
for (const meta of old_html.querySelectorAll("head meta")) |
241 | 238 |
sanitize_meta(meta, policy); |
242 | 239 |
|
243 |
for (const script of old_html.querySelectorAll("script")) |
|
244 |
sanitize_script(script, policy); |
|
240 |
if (!policy.allow) |
|
241 |
for (const script of old_html.querySelectorAll("script")) |
|
242 |
sanitize_script(script, policy); |
|
245 | 243 |
|
246 | 244 |
new_html.replaceWith(old_html); |
247 | 245 |
|
248 |
for (const script of old_html.querySelectorAll("script")) |
|
249 |
desanitize_script(script, policy); |
|
246 |
if (!policy.allow) |
|
247 |
for (const script of old_html.querySelectorAll("script")) |
|
248 |
desanitize_script(script, policy); |
|
250 | 249 |
} |
251 | 250 |
|
252 | 251 |
if (!is_privileged_url(document.URL)) { |
... | ... | |
282 | 281 |
} |
283 | 282 |
|
284 | 283 |
const doc_ready = Promise.all([ |
285 |
policy.allow ? Promise.resolve : sanitize_document(document, policy),
|
|
284 |
(policy.allow && !policy.has_payload) ? Promise.resolve : sanitize_document(document, policy),
|
|
286 | 285 |
new Promise(cb => document.addEventListener("DOMContentLoaded", |
287 | 286 |
cb, {once: true})) |
288 | 287 |
]); |
Also available in: Unified diff
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.