/ - Diff - Haketilo - Hydrilla issue tracker

« Previous | Next »

Revision 97b8e30f

Added by jahoti about 2 years ago

ID 97b8e30fadf0f1e1e0aeb9078ac333026d735270
Parent e402e036
Child 5fcc9808

Squash more CSP-filtering bugs

On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp
header to prevent re-processing issues with caching. Additionally, a default
header is added for non-whitelisted domains in case there are no existing
headers we can attach to.

      * IMPORT get_storage
      * IMPORT browser
      * IMPORT is_chrome
      * IMPORT is_mozilla
      * IMPORT gen_unique
      * IMPORT gen_nonce
      * IMPORT is_privileged_url
-...
         "prefetch-src": true
     };
     const header_name = "content-security-policy";
     const report_only = "content-security-policy-report-only";
     function not_csp_header(header)
+    {
-...
         };
+    }
     function process_csp_header(header, rule, block)
+    {
         const csp = parse_csp(header.value);
         /* No snitching */
         delete csp['report-to'];
         delete csp['report-uri'];
         if (block) {
     	delete csp['script-src'];
     	delete csp['script-src-elem'];
     	csp['script-src-attr'] = ["'none'"];
     	csp['prefetch-src'] = ["'none'"];
+        }
         if ('script-src' in csp)
     	csp['script-src'].push(rule);
         else
     	csp['script-src'] = [rule];
         if ('script-src-elem' in csp)
     	csp['script-src-elem'].push(rule);
         else
     	csp['script-src-elem'] = [rule];
         const new_policy = Object.entries(csp).map(
     	i => i[0] + ' ' + i[1].join(' ') + ';'
         );
         return {name: header.name, value: new_policy.join('')}
+    }
     function headers_inject(details)
+    {
         const targets = url_extract_target(details.url);
-...
         if (!targets.current)
     	return {cancel: true};
         const headers = [];
         let orig_csp_headers = is_chrome ? null : [];
         let headers = [];
         let csp_headers = is_chrome ? headers : [];
         const rule = `'nonce-${targets.policy.nonce}'`;
         const block = !targets.policy.allow;
         for (let header of details.responseHeaders) {
     	if (not_csp_header(header)) {
     	    /* Retain all non-snitching headers */
     	    if (header.name.toLowerCase() !==
     	        'content-security-policy-report-only')
     	    if (header.name.toLowerCase() !== report_only) {
     		headers.push(header);
     		/* If these are the original CSP headers, use them instead */
     		/* Test based on url_extract_target() in misc.js */
     		if (is_mozilla && header.name === "x-orig-csp") {
     		    let index = header.value.indexOf('%5B');
     		    if (index === -1)
     			continue;
     		    let sig = header.value.substring(0, index);
     		    let data = header.value.substring(index);
     		    if (sig !== sign_policy(data, 0))
     			continue;
     		    /* Confirmed- it's the originals, smuggled in! */
     		    try {
     			data = JSON.parse(decodeURIComponent(data));
     		    } catch (e) {
     			/* This should not be reached -
     			   it's our self-produced valid JSON. */
     			console.log("Unexpected internal error - invalid JSON smuggled!", e);
+    		    }
     		    orig_csp_headers = csp_headers = null;
     		    for (let header of data)
     			headers.push(process_csp_header(header, rule, block));
+    		}
+    	    }
     	    continue;
+    	}
     	const csp = parse_csp(header.value);
     	const rule = `'nonce-${targets.policy.nonce}'`
     	/* TODO: confirm deleting non-existent things is OK everywhere */
     	/* No snitching or prefetching/rendering */
     	delete csp['report-to'];
     	delete csp['report-uri'];
     	if (!targets.policy.allow) {
     	    delete csp['script-src'];
     	    delete csp['script-src-elem'];
     	    csp['script-src-attr'] = ["'none'"];
     	    csp['prefetch-src'] = ["'none'"];
+    	}
     	if ('script-src' in csp)
     	    csp['script-src'].push(rule);
     	else
     	    csp['script-src'] = [rule];
     	if ('script-src-elem' in csp)
     	    csp['script-src-elem'].push(rule);
     	else
     	    csp['script-src-elem'] = [rule];
     	/* TODO: is this safe */
     	let new_policy = Object.entries(csp).map(
     	    i => i[0] + ' ' + i[1].join(' ') + ';'
     	);
     	if (is_mozilla && !orig_csp_headers)
     	    continue;
     	headers.push({name: header.name, value: new_policy.join('')});
     	csp_headers.push(process_csp_header(header, rule, block));
     	if (is_mozilla)
     	    orig_csp_headers.push(header);
+        }
         if (orig_csp_headers) {
     	/** Smuggle in the original CSP headers for future use.
     	  * These are signed with a time of 0, as it's not clear there
     	  * is a limit on how long Firefox might retain these headers in
     	  * the cache.
     	  */
     	orig_csp_headers = encodeURIComponent(JSON.stringify(orig_csp_headers));
     	headers.push({
     	    name: "x-orig-csp",
     	    value: sign_policy(orig_csp_headers, 0) + orig_csp_headers
     	});
     	headers = headers.concat(csp_headers);
+        }
         /* To ensure there is a CSP header if required */
         if (block) {
     	headers.push({
     	    name: "content-security-policy",
     	    value: `script-src ${rule}; script-src-elem ${rule}; ` +
     		"script-src-attr 'none'; prefetch-src 'none';"
     	});
+        }
         return {responseHeaders: headers};

Also available in: Unified diff

Project

General

Profile

Haketilo

Revision 97b8e30f

Added by jahoti about 2 years ago