Project

General

Profile

« Previous | Next » 

Revision d09b7ee1

Added by koszko about 2 years ago

sanitize `' tags containing CSP rules under Chromium

This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.

View differences:

background/policy_injector.js
18 18 
 * IMPORT query_best
19 19 
 * IMPORT sanitize_csp_header
20 20 
 * IMPORT csp_rule
21 
 * IMPORT is_csp_header_name
21 22 
 * IMPORTS_END
22 23 
 */
23 24 

  		




  24
  25
  
    
var storage;


  		




  25
  26
  
    

  		




  26
  
  
    
const csp_header_names = new Set([


  		




  27
  
  
    
    "content-security-policy",


  		




  28
  
  
    
    "x-webkit-csp",


  		




  29
  
  
    
    "x-content-security-policy"


  		




  30
  
  
    
]);


  		




  31
  
  
    

  		




  32
  
  
    
const report_only = "content-security-policy-report-only";


  		




  33
  
  
    

  		




  34
  27
  
    
function headers_inject(details)


  		




  35
  28
  
    
{


  		




  36
  29
  
    
    const url = details.url;


  		




  ......




  40
  33
  
    
    const [pattern, settings] = query_best(storage, url);


  		




  41
  34
  
    
    const allow = !!(settings && settings.allow);


  		




  42
  35
  
    
    const nonce = gen_nonce();


  		




  43
  
  
    
    const rule = `'nonce-${nonce}'`;


  		




  44
  36
  
    

  		




  45
  37
  
    
    let orig_csp_headers;


  		




  46
  38
  
    
    let old_signature;


  		




  ......




  70
  62
  
    
    }


  		




  71
  63
  
    

  		




  72
  64
  
    
    orig_csp_headers = orig_csp_headers ||


  		




  73
  
  
    
	headers.filter(h => csp_header_names.has(h.name.toLowerCase()));


  		




  74
  
  
    
    headers = headers.filter(h => !csp_header_names.has(h.name.toLowerCase()));


  		




  
  65
  
    
	headers.filter(h => is_csp_header_name(h.name));


  		




  75
  66
  
    

  		




  76
  
  
    
    /* Remove headers that only snitch on us */


  		




  77
  
  
    
    if (!allow)


  		




  78
  
  
    
	headers = headers.filter(h => h.name.toLowerCase() !== report_only);


  		




  
  67
  
    
    /* When blocking remove report-only CSP headers that snitch on us. */


  		




  
  68
  
    
    headers = headers.filter(h => !is_csp_header_name(h.name, !allow));


  		




  79
  69
  
    

  		




  80
  70
  
    
    if (old_signature)


  		




  81
  71
  
    
	headers = headers.filter(h => h.name.search(old_signature) === -1);


  		




  82
  72
  
    

  		




  83
  
  
    
    const sanitizer = h => sanitize_csp_header(h, rule, allow);


  		




  
  73
  
    
    const policy_object = {allow, nonce, url};


  		




  
  74
  
    
    const sanitizer = h => sanitize_csp_header(h, policy_object);


  		




  84
  75
  
    
    headers.push(...orig_csp_headers.map(sanitizer));


  		




  85
  76
  
    

  		




  86
  
  
    
    const policy = encodeURIComponent(JSON.stringify({allow, nonce, url}));


  		




  
  77
  
    
    const policy = encodeURIComponent(JSON.stringify(policy_object));


  		




  87
  78
  
    
    const policy_signature = sign_data(policy, new Date());


  		




  88
  79
  
    
    const later_30sec = new Date(new Date().getTime() + 30000).toGMTString();


  		




  89
  80
  
    
    headers.push({


  		












Also available in:  Unified diff