Revision 5dab077b
Added by jahoti about 2 years ago
| content/main.js | ||
|---|---|---|
| 17 | 17 |
* IMPORT is_chrome |
| 18 | 18 |
* IMPORT is_mozilla |
| 19 | 19 |
* IMPORT start_activity_info_server |
| 20 |
* IMPORT csp_rule |
|
| 20 |
* IMPORT make_csp_rule
|
|
| 21 | 21 |
* IMPORT is_csp_header_name |
| 22 | 22 |
* IMPORT sanitize_csp_header |
| 23 | 23 |
* IMPORTS_END |
| ... | ... | |
| 175 | 175 |
return; |
| 176 | 176 |
|
| 177 | 177 |
block_attribute(meta, "content"); |
| 178 |
|
|
| 179 |
if (is_csp_header_name(http_equiv, false)) |
|
| 180 |
meta.content = sanitize_csp_header({value}, policy).value;
|
|
| 181 | 178 |
} |
| 182 | 179 |
|
| 183 | 180 |
function sanitize_script(script) |
| ... | ... | |
| 204 | 201 |
{
|
| 205 | 202 |
const meta = doc.createElement("meta");
|
| 206 | 203 |
meta.setAttribute("http-equiv", "Content-Security-Policy");
|
| 207 |
meta.setAttribute("content", csp_rule(policy.nonce));
|
|
| 204 |
meta.setAttribute("content", make_csp_rule(policy));
|
|
| 208 | 205 |
doc.head.append(meta); |
| 209 | 206 |
/* CSP is already in effect, we can remove the <meta> now. */ |
| 210 | 207 |
meta.remove(); |
| ... | ... | |
| 240 | 237 |
for (const meta of old_html.querySelectorAll("head meta"))
|
| 241 | 238 |
sanitize_meta(meta, policy); |
| 242 | 239 |
|
| 243 |
for (const script of old_html.querySelectorAll("script"))
|
|
| 244 |
sanitize_script(script, policy); |
|
| 240 |
if (!policy.allow) |
|
| 241 |
for (const script of old_html.querySelectorAll("script"))
|
|
| 242 |
sanitize_script(script, policy); |
|
| 245 | 243 |
|
| 246 | 244 |
new_html.replaceWith(old_html); |
| 247 | 245 |
|
| 248 |
for (const script of old_html.querySelectorAll("script"))
|
|
| 249 |
desanitize_script(script, policy); |
|
| 246 |
if (!policy.allow) |
|
| 247 |
for (const script of old_html.querySelectorAll("script"))
|
|
| 248 |
desanitize_script(script, policy); |
|
| 250 | 249 |
} |
| 251 | 250 |
|
| 252 | 251 |
if (!is_privileged_url(document.URL)) {
|
| ... | ... | |
| 282 | 281 |
} |
| 283 | 282 |
|
| 284 | 283 |
const doc_ready = Promise.all([ |
| 285 |
policy.allow ? Promise.resolve : sanitize_document(document, policy),
|
|
| 284 |
(policy.allow && !policy.has_payload) ? Promise.resolve : sanitize_document(document, policy),
|
|
| 286 | 285 |
new Promise(cb => document.addEventListener("DOMContentLoaded",
|
| 287 | 286 |
cb, {once: true}))
|
| 288 | 287 |
]); |
Also available in: Unified diff
Replace CSP filtering with blocking
CSP headers are now blocked completely rather than modified.
Also, filtering is applied whenever a payload is injected.