Revision 5fcc9808
Added by koszko about 2 years ago
| background/policy_injector.js | ||
|---|---|---|
| 26 | 26 |
var storage; |
| 27 | 27 |
var query_best; |
| 28 | 28 |
|
| 29 |
const csp_header_names = {
|
|
| 30 |
"content-security-policy" : true, |
|
| 31 |
"x-webkit-csp" : true, |
|
| 32 |
"x-content-security-policy" : true |
|
| 33 |
}; |
|
| 34 |
|
|
| 35 |
const unwanted_csp_directives = {
|
|
| 36 |
"report-to" : true, |
|
| 37 |
"report-uri" : true, |
|
| 38 |
"script-src" : true, |
|
| 39 |
"script-src-elem" : true, |
|
| 40 |
"prefetch-src": true |
|
| 41 |
}; |
|
| 29 |
const csp_header_names = new Set([ |
|
| 30 |
"content-security-policy", |
|
| 31 |
"x-webkit-csp", |
|
| 32 |
"x-content-security-policy" |
|
| 33 |
]); |
|
| 34 |
|
|
| 35 |
/* TODO: variable no longer in use; remove if not needed */ |
|
| 36 |
const unwanted_csp_directives = new Set([ |
|
| 37 |
"report-to", |
|
| 38 |
"report-uri", |
|
| 39 |
"script-src", |
|
| 40 |
"script-src-elem", |
|
| 41 |
"prefetch-src" |
|
| 42 |
]); |
|
| 42 | 43 |
|
| 43 | 44 |
const report_only = "content-security-policy-report-only"; |
| 44 | 45 |
|
| 45 |
function not_csp_header(header) |
|
| 46 |
{
|
|
| 47 |
return !csp_header_names[header.name.toLowerCase()]; |
|
| 48 |
} |
|
| 49 |
|
|
| 50 | 46 |
function url_inject(details) |
| 51 | 47 |
{
|
| 52 | 48 |
if (is_privileged_url(details.url)) |
| ... | ... | |
| 86 | 82 |
function process_csp_header(header, rule, block) |
| 87 | 83 |
{
|
| 88 | 84 |
const csp = parse_csp(header.value); |
| 89 |
|
|
| 85 |
|
|
| 90 | 86 |
/* No snitching */ |
| 91 | 87 |
delete csp['report-to']; |
| 92 | 88 |
delete csp['report-uri']; |
| 93 |
|
|
| 89 |
|
|
| 94 | 90 |
if (block) {
|
| 95 | 91 |
delete csp['script-src']; |
| 96 | 92 |
delete csp['script-src-elem']; |
| 97 | 93 |
csp['script-src-attr'] = ["'none'"]; |
| 98 | 94 |
csp['prefetch-src'] = ["'none'"]; |
| 99 | 95 |
} |
| 100 |
|
|
| 96 |
|
|
| 101 | 97 |
if ('script-src' in csp)
|
| 102 | 98 |
csp['script-src'].push(rule); |
| 103 | 99 |
else |
| ... | ... | |
| 107 | 103 |
csp['script-src-elem'].push(rule); |
| 108 | 104 |
else |
| 109 | 105 |
csp['script-src-elem'] = [rule]; |
| 110 |
|
|
| 106 |
|
|
| 111 | 107 |
const new_policy = Object.entries(csp).map( |
| 112 |
i => i[0] + ' ' + i[1].join(' ') + ';'
|
|
| 108 |
i => `${i[0]} ${i[1].join(' ')};`
|
|
| 113 | 109 |
); |
| 114 |
|
|
| 115 |
return {name: header.name, value: new_policy.join('')}
|
|
| 110 |
|
|
| 111 |
return {name: header.name, value: new_policy.join('')};
|
|
| 116 | 112 |
} |
| 117 | 113 |
|
| 118 | 114 |
function headers_inject(details) |
| ... | ... | |
| 128 | 124 |
|
| 129 | 125 |
const rule = `'nonce-${targets.policy.nonce}'`;
|
| 130 | 126 |
const block = !targets.policy.allow; |
| 131 |
|
|
| 132 |
for (let header of details.responseHeaders) {
|
|
| 133 |
if (not_csp_header(header)) {
|
|
| 127 |
|
|
| 128 |
for (const header of details.responseHeaders) {
|
|
| 129 |
if (!csp_header_names.has(header)) {
|
|
| 134 | 130 |
/* Retain all non-snitching headers */ |
| 135 | 131 |
if (header.name.toLowerCase() !== report_only) {
|
| 136 | 132 |
headers.push(header); |
| 137 |
|
|
| 133 |
|
|
| 138 | 134 |
/* If these are the original CSP headers, use them instead */ |
| 139 | 135 |
/* Test based on url_extract_target() in misc.js */ |
| 140 | 136 |
if (is_mozilla && header.name === "x-orig-csp") {
|
| ... | ... | |
| 157 | 153 |
} |
| 158 | 154 |
|
| 159 | 155 |
orig_csp_headers = csp_headers = null; |
| 160 |
for (let header of data)
|
|
| 156 |
for (const header of data)
|
|
| 161 | 157 |
headers.push(process_csp_header(header, rule, block)); |
| 162 | 158 |
} |
| 163 | 159 |
} |
| ... | ... | |
| 166 | 162 |
} |
| 167 | 163 |
if (is_mozilla && !orig_csp_headers) |
| 168 | 164 |
continue; |
| 169 |
|
|
| 165 |
|
|
| 170 | 166 |
csp_headers.push(process_csp_header(header, rule, block)); |
| 171 | 167 |
if (is_mozilla) |
| 172 | 168 |
orig_csp_headers.push(header); |
Also available in: Unified diff
code maintenance