Revision d09b7ee1
Added by koszko about 2 years ago
common/misc.js | ||
---|---|---|
78 | 78 |
return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`; |
79 | 79 |
} |
80 | 80 |
|
81 |
/* Check if some HTTP header might define CSP rules. */ |
|
82 |
const csp_header_names = new Set([ |
|
83 |
"content-security-policy", |
|
84 |
"x-webkit-csp", |
|
85 |
"x-content-security-policy" |
|
86 |
]); |
|
87 |
|
|
88 |
const report_only_header_name = "content-security-policy-report-only"; |
|
89 |
|
|
90 |
function is_csp_header_name(string, include_report_only) |
|
91 |
{ |
|
92 |
string = string && string.toLowerCase() || ""; |
|
93 |
|
|
94 |
return (include_report_only && string === report_only_header_name) || |
|
95 |
csp_header_names.has(string); |
|
96 |
} |
|
97 |
|
|
81 | 98 |
/* |
82 | 99 |
* Print item together with type, e.g. |
83 | 100 |
* nice_name("s", "hello") → "hello (script)" |
... | ... | |
127 | 144 |
} |
128 | 145 |
|
129 | 146 |
/* Make CSP headers do our bidding, not interfere */ |
130 |
function sanitize_csp_header(header, rule, allow)
|
|
147 |
function sanitize_csp_header(header, policy)
|
|
131 | 148 |
{ |
149 |
const rule = `'nonce-${policy.nonce}'`; |
|
132 | 150 |
const csp = parse_csp(header.value); |
133 | 151 |
|
134 |
if (!allow) { |
|
152 |
if (!policy.allow) {
|
|
135 | 153 |
/* No snitching */ |
136 | 154 |
delete csp['report-to']; |
137 | 155 |
delete csp['report-uri']; |
... | ... | |
153 | 171 |
else |
154 | 172 |
csp['script-src-elem'] = [rule]; |
155 | 173 |
|
156 |
const new_policy = Object.entries(csp).map(
|
|
174 |
const new_csp = Object.entries(csp).map(
|
|
157 | 175 |
i => `${i[0]} ${i[1].join(' ')};` |
158 | 176 |
); |
159 | 177 |
|
160 |
return {name: header.name, value: new_policy.join('')};
|
|
178 |
return {name: header.name, value: new_csp.join('')};
|
|
161 | 179 |
} |
162 | 180 |
|
163 | 181 |
/* Regexes and objest to use as/in schemas for parse_json_with_schema(). */ |
... | ... | |
178 | 196 |
* EXPORT extract_signed |
179 | 197 |
* EXPORT sign_data |
180 | 198 |
* EXPORT csp_rule |
199 |
* EXPORT is_csp_header_name |
|
181 | 200 |
* EXPORT nice_name |
182 | 201 |
* EXPORT open_in_settings |
183 | 202 |
* EXPORT is_privileged_url |
Also available in: Unified diff
sanitize `' tags containing CSP rules under Chromium
This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.