|
1
|
/**
|
|
2
|
* This file is part of Haketilo.
|
|
3
|
*
|
|
4
|
* Function: Injecting policy to page by modifying HTTP headers.
|
|
5
|
*
|
|
6
|
* Copyright (C) 2021 Wojtek Kosior
|
|
7
|
* Copyright (C) 2021 jahoti
|
|
8
|
* Redistribution terms are gathered in the `copyright' file.
|
|
9
|
*/
|
|
10
|
|
|
11
|
/*
|
|
12
|
* IMPORTS_START
|
|
13
|
* IMPORT make_csp_rule
|
|
14
|
* IMPORT csp_header_regex
|
|
15
|
* Re-enable the import below once nonce stuff here is ready
|
|
16
|
* !mport gen_nonce
|
|
17
|
* IMPORTS_END
|
|
18
|
*/
|
|
19
|
|
|
20
|
function inject_csp_headers(headers, policy)
|
|
21
|
{
|
|
22
|
let csp_headers;
|
|
23
|
|
|
24
|
if (policy.payload) {
|
|
25
|
headers = headers.filter(h => !csp_header_regex.test(h.name));
|
|
26
|
|
|
27
|
// TODO: make CSP rules with nonces and facilitate passing them to
|
|
28
|
// content scripts via dynamic content script registration or
|
|
29
|
// synchronous XHRs
|
|
30
|
|
|
31
|
// policy.nonce = gen_nonce();
|
|
32
|
}
|
|
33
|
|
|
34
|
if (!policy.allow && (policy.nonce || !policy.payload)) {
|
|
35
|
headers.push({
|
|
36
|
name: "content-security-policy",
|
|
37
|
value: make_csp_rule(policy)
|
|
38
|
});
|
|
39
|
}
|
|
40
|
|
|
41
|
return headers;
|
|
42
|
}
|
|
43
|
|
|
44
|
/*
|
|
45
|
* EXPORTS_START
|
|
46
|
* EXPORT inject_csp_headers
|
|
47
|
* EXPORTS_END
|
|
48
|
*/
|