Revision cd5272ac
Added by koszko about 2 years ago
| background/policy_injector.js | ||
|---|---|---|
| 14 | 14 |
* IMPORT gen_unique |
| 15 | 15 |
* IMPORT url_item |
| 16 | 16 |
* IMPORT get_query_best |
| 17 |
* IMPORT csp_rule |
|
| 17 | 18 |
* IMPORTS_END |
| 18 | 19 |
*/ |
| 19 | 20 |
|
| ... | ... | |
| 40 | 41 |
if (settings !== undefined && settings.allow) |
| 41 | 42 |
return {cancel : false};
|
| 42 | 43 |
|
| 43 |
let nonce = gen_unique(url).substring(1);
|
|
| 44 |
let nonce = gen_unique(url); |
|
| 44 | 45 |
let headers = details.responseHeaders.filter(is_noncsp_header); |
| 45 | 46 |
|
| 46 |
let rule = `script-src 'nonce-${nonce}';`;
|
|
| 47 |
if (is_chrome) |
|
| 48 |
rule += `script-src-elem 'nonce-${nonce}';`;
|
|
| 49 |
|
|
| 50 | 47 |
headers.push({
|
| 51 | 48 |
name : "content-security-policy", |
| 52 |
value : rule
|
|
| 49 |
value : csp_rule(nonce)
|
|
| 53 | 50 |
}); |
| 54 | 51 |
|
| 55 | 52 |
return {responseHeaders: headers};
|
| common/gen_unique.js | ||
|---|---|---|
| 1 |
/** |
|
| 2 |
* Myext generating unique, per-site hash |
|
| 3 |
* |
|
| 4 |
* Copyright (C) 2021 Wojtek Kosior |
|
| 5 |
* Redistribution terms are gathered in the `copyright' file. |
|
| 6 |
*/ |
|
| 7 |
|
|
| 8 |
/* |
|
| 9 |
* IMPORTS_START |
|
| 10 |
* IMPORT sha256 |
|
| 11 |
* IMPORT browser |
|
| 12 |
* IMPORT is_chrome |
|
| 13 |
* IMPORTS_END |
|
| 14 |
*/ |
|
| 15 |
|
|
| 16 |
function get_id() |
|
| 17 |
{
|
|
| 18 |
if (is_chrome) |
|
| 19 |
return browser.runtime.getManifest().key.substring(0, 50); |
|
| 20 |
else |
|
| 21 |
return browser.runtime.getURL("dummy");
|
|
| 22 |
} |
|
| 23 |
|
|
| 24 |
function gen_unique(url) |
|
| 25 |
{
|
|
| 26 |
return "#" + sha256(get_id() + url); |
|
| 27 |
} |
|
| 28 |
|
|
| 29 |
/* |
|
| 30 |
* EXPORTS_START |
|
| 31 |
* EXPORT gen_unique |
|
| 32 |
* EXPORTS_END |
|
| 33 |
*/ |
|
| common/misc.js | ||
|---|---|---|
| 1 |
/** |
|
| 2 |
* Myext miscellaneous operations refactored to a separate file |
|
| 3 |
* |
|
| 4 |
* Copyright (C) 2021 Wojtek Kosior |
|
| 5 |
* Redistribution terms are gathered in the `copyright' file. |
|
| 6 |
*/ |
|
| 7 |
|
|
| 8 |
/* |
|
| 9 |
* IMPORTS_START |
|
| 10 |
* IMPORT sha256 |
|
| 11 |
* IMPORT browser |
|
| 12 |
* IMPORT is_chrome |
|
| 13 |
* IMPORTS_END |
|
| 14 |
*/ |
|
| 15 |
|
|
| 16 |
/* |
|
| 17 |
* generating unique, per-site value that can be computed synchronously |
|
| 18 |
* and is impossible to guess for a malicious website |
|
| 19 |
*/ |
|
| 20 |
function gen_unique(url) |
|
| 21 |
{
|
|
| 22 |
return sha256(get_secure_salt() + url); |
|
| 23 |
} |
|
| 24 |
|
|
| 25 |
function get_secure_salt() |
|
| 26 |
{
|
|
| 27 |
if (is_chrome) |
|
| 28 |
return browser.runtime.getManifest().key.substring(0, 50); |
|
| 29 |
else |
|
| 30 |
return browser.runtime.getURL("dummy");
|
|
| 31 |
} |
|
| 32 |
|
|
| 33 |
/* |
|
| 34 |
* stripping url from query and target (everything after `#' or `?' |
|
| 35 |
* gets removed) |
|
| 36 |
*/ |
|
| 37 |
function url_item(url) |
|
| 38 |
{
|
|
| 39 |
let url_re = /^([^?#]*).*$/; |
|
| 40 |
let match = url_re.exec(url); |
|
| 41 |
return match[1]; |
|
| 42 |
} |
|
| 43 |
|
|
| 44 |
/* csp rule that blocks all scripts except for those injected by us */ |
|
| 45 |
function csp_rule(nonce) |
|
| 46 |
{
|
|
| 47 |
let rule = `script-src 'nonce-${nonce}';`;
|
|
| 48 |
if (is_chrome) |
|
| 49 |
rule += `script-src-elem 'nonce-${nonce}';`;
|
|
| 50 |
return rule; |
|
| 51 |
} |
|
| 52 |
|
|
| 53 |
/* |
|
| 54 |
* EXPORTS_START |
|
| 55 |
* EXPORT gen_unique |
|
| 56 |
* EXPORT url_item |
|
| 57 |
* EXPORT csp_rule |
|
| 58 |
* EXPORTS_END |
|
| 59 |
*/ |
|
| common/url_item.js | ||
|---|---|---|
| 1 |
/** |
|
| 2 |
* Myext stripping url from query and target |
|
| 3 |
* |
|
| 4 |
* Copyright (C) 2021 Wojtek Kosior |
|
| 5 |
* Redistribution terms are gathered in the `copyright' file. |
|
| 6 |
*/ |
|
| 7 |
|
|
| 8 |
function url_item(url) |
|
| 9 |
{
|
|
| 10 |
let url_re = /^([^?#]*).*$/; |
|
| 11 |
let match = url_re.exec(url); |
|
| 12 |
return match[1]; |
|
| 13 |
} |
|
| 14 |
|
|
| 15 |
/* |
|
| 16 |
* EXPORTS_START |
|
| 17 |
* EXPORT url_item |
|
| 18 |
* EXPORTS_END |
|
| 19 |
*/ |
|
| content/main.js | ||
|---|---|---|
| 10 | 10 |
* IMPORT handle_page_actions |
| 11 | 11 |
* IMPORT url_item |
| 12 | 12 |
* IMPORT gen_unique |
| 13 |
* IMPORT csp_rule |
|
| 13 | 14 |
* IMPORT sanitize_attributes |
| 14 | 15 |
* IMPORT script_suppressor |
| 15 | 16 |
* IMPORT is_chrome |
| ... | ... | |
| 30 | 31 |
|
| 31 | 32 |
let url = url_item(document.URL); |
| 32 | 33 |
let unique = gen_unique(url); |
| 33 |
let nonce = unique.substring(1); |
|
| 34 | 34 |
|
| 35 |
const suppressor = script_suppressor(nonce);
|
|
| 35 |
const suppressor = script_suppressor(unique);
|
|
| 36 | 36 |
|
| 37 | 37 |
function needs_blocking() |
| 38 | 38 |
{
|
| ... | ... | |
| 46 | 46 |
let second_target = match[4]; |
| 47 | 47 |
|
| 48 | 48 |
if (first_target !== undefined && |
| 49 |
first_target === unique) {
|
|
| 49 |
first_target === '#' + unique) {
|
|
| 50 | 50 |
if (second_target !== undefined) |
| 51 | 51 |
window.location.href = base_url + second_target; |
| 52 | 52 |
else |
| ... | ... | |
| 115 | 115 |
|
| 116 | 116 |
let meta = document.createElement("meta");
|
| 117 | 117 |
meta.setAttribute("http-equiv", "Content-Security-Policy");
|
| 118 |
|
|
| 119 |
let rule = `script-src 'nonce-${nonce}'; `;
|
|
| 120 |
if (is_chrome) |
|
| 121 |
rule += `script-src-elem 'nonce-${nonce}';`;
|
|
| 122 |
|
|
| 123 |
meta.setAttribute("content", rule);
|
|
| 118 |
meta.setAttribute("content", csp_rule(unique));
|
|
| 124 | 119 |
|
| 125 | 120 |
if (head.firstElementChild === null) |
| 126 | 121 |
head.appendChild(meta); |
| ... | ... | |
| 144 | 139 |
addEventListener('beforescriptexecute', suppressor, true);
|
| 145 | 140 |
} |
| 146 | 141 |
|
| 147 |
handle_page_actions(nonce); |
|
| 142 |
handle_page_actions(unique); |
|
Also available in: Unified diff
refactor 3 miscellaneous fnctionalities to a their single own file