Project

General

Profile

« Previous | Next » 

Revision d09b7ee1

Added by koszko about 2 years ago

sanitize `' tags containing CSP rules under Chromium

This commit adds a mechanism of hijacking document when it loads and injecting sanitized nodes to the DOM from the level of content script.

View differences:

common/misc.js
78 78 
    return `script-src ${rule}; script-src-elem ${rule}; script-src-attr 'none'; prefetch-src 'none';`;
79 79 
}
80 80 

  		




  
  81
  
    
/* Check if some HTTP header might define CSP rules. */


  		




  
  82
  
    
const csp_header_names = new Set([


  		




  
  83
  
    
    "content-security-policy",


  		




  
  84
  
    
    "x-webkit-csp",


  		




  
  85
  
    
    "x-content-security-policy"


  		




  
  86
  
    
]);


  		




  
  87
  
    

  		




  
  88
  
    
const report_only_header_name = "content-security-policy-report-only";


  		




  
  89
  
    

  		




  
  90
  
    
function is_csp_header_name(string, include_report_only)


  		




  
  91
  
    
{


  		




  
  92
  
    
    string = string && string.toLowerCase() || "";


  		




  
  93
  
    

  		




  
  94
  
    
    return (include_report_only && string === report_only_header_name) ||


  		




  
  95
  
    
	csp_header_names.has(string);


  		




  
  96
  
    
}


  		




  
  97
  
    

  		




  81
  98
  
    
/*


  		




  82
  99
  
    
 * Print item together with type, e.g.


  		




  83
  100
  
    
 * nice_name("s", "hello") → "hello (script)"


  		




  ......




  127
  144
  
    
}


  		




  128
  145
  
    

  		




  129
  146
  
    
/* Make CSP headers do our bidding, not interfere */


  		




  130
  
  
    
function sanitize_csp_header(header, rule, allow)


  		




  
  147
  
    
function sanitize_csp_header(header, policy)


  		




  131
  148
  
    
{


  		




  
  149
  
    
    const rule = `'nonce-${policy.nonce}'`;


  		




  132
  150
  
    
    const csp = parse_csp(header.value);


  		




  133
  151
  
    

  		




  134
  
  
    
    if (!allow) {


  		




  
  152
  
    
    if (!policy.allow) {


  		




  135
  153
  
    
	/* No snitching */


  		




  136
  154
  
    
	delete csp['report-to'];


  		




  137
  155
  
    
	delete csp['report-uri'];


  		




  ......




  153
  171
  
    
    else


  		




  154
  172
  
    
	csp['script-src-elem'] = [rule];


  		




  155
  173
  
    

  		




  156
  
  
    
    const new_policy = Object.entries(csp).map(


  		




  
  174
  
    
    const new_csp = Object.entries(csp).map(


  		




  157
  175
  
    
	i => `${i[0]} ${i[1].join(' ')};`


  		




  158
  176
  
    
    );


  		




  159
  177
  
    

  		




  160
  
  
    
    return {name: header.name, value: new_policy.join('')};


  		




  
  178
  
    
    return {name: header.name, value: new_csp.join('')};


  		




  161
  179
  
    
}


  		




  162
  180
  
    

  		




  163
  181
  
    
/* Regexes and objest to use as/in schemas for parse_json_with_schema(). */


  		




  ......




  178
  196
  
    
 * EXPORT extract_signed


  		




  179
  197
  
    
 * EXPORT sign_data


  		




  180
  198
  
    
 * EXPORT csp_rule


  		




  
  199
  
    
 * EXPORT is_csp_header_name


  		




  181
  200
  
    
 * EXPORT nice_name


  		




  182
  201
  
    
 * EXPORT open_in_settings


  		




  183
  202
  
    
 * EXPORT is_privileged_url


  		












Also available in:  Unified diff