Project

General

Profile

« Previous | Next » 

Revision 8b823e1a

Added by jahoti about 2 years ago

Revamp signatures and break header caching on FF

Signatures, instead of consisting of the secure salt followed by the unique
value generated from the URL, are now the unique value generated from the
policy value (which will follow them) succeeded by the URL.

CSP headers are now always cleared on FF, regardless of whether the page
is whitelisted or not. This means whitelisting takes effect on page reload,
rather than only when caching occurs. However, it obviously presents security
issues; refinment will occur in a future commit.

View differences:

common/misc.js
35 35 
function get_secure_salt()
36 36 
{
37 37 
    if (is_chrome)
38 
	return browser.runtime.getManifest().key.substring(0, 36);
38 
	return browser.runtime.getManifest().key.substring(0, 50);
39 39 
    else
40 
	return browser.runtime.getURL("dummy").substr(16, 36);
40 
	return browser.runtime.getURL("dummy");
41 41 
}
42 42 

  		




  43
  43
  
    
/*


  		




  ......




  107
  107
  
    
/* Extract any policy present in the URL */


  		




  108
  108
  
    
function url_extract_policy(url)


  		




  109
  109
  
    
{


  		




  
  110
  
    
    var policy_string;


  		




  110
  111
  
    
    const targets = url_extract_target(url);


  		




  111
  
  
    
    const key = '#' + get_secure_salt();


  		




  112
  
  
    
    targets.sig = key + gen_unique(targets.base_url);


  		




  113
  112
  
    
    


  		




  114
  
  
    
    if (targets.target && targets.target.startsWith(key)) {


  		




  115
  
  
    
	targets.signed = true;


  		




  116
  
  
    
	if (targets.target.startsWith(targets.sig))


  		




  117
  
  
    
	    try {


  		




  118
  
  
    
		const policy_string = targets.target.substring(101);


  		




  119
  
  
    
		targets.policy = JSON.parse(decodeURIComponent(policy_string));


  		




  120
  
  
    
	    } catch (e) {


  		




  121
  
  
    
		/* TODO what should happen here? */


  		




  122
  
  
    
	    }


  		




  
  113
  
    
    try {


  		




  
  114
  
    
	policy_string = targets.target.substring(65);


  		




  
  115
  
    
	targets.policy = JSON.parse(decodeURIComponent(policy_string));


  		




  
  116
  
    
    } catch (e) {


  		




  
  117
  
    
	/* TODO what should happen here? */


  		




  
  118
  
    
    }


  		




  
  119
  
    
    


  		




  
  120
  
    
    if (targets.policy) {


  		




  
  121
  
    
	const sig = gen_unique(policy_string + targets.base_url);


  		




  
  122
  
    
	targets.valid_sig = targets.target.substring(1, 65) === sig;


  		




  123
  123
  
    
    }


  		




  124
  124
  
    

  		




  125
  125
  
    
    return targets;


  		












Also available in:  Unified diff