Revision dcfc78b0
Added by jahoti about 2 years ago
| content/main.js | ||
|---|---|---|
| 2 | 2 |
* Myext main content script run in all frames |
| 3 | 3 |
* |
| 4 | 4 |
* Copyright (C) 2021 Wojtek Kosior |
| 5 |
* Copyright (C) 2021 jahoti |
|
| 5 | 6 |
* Redistribution terms are gathered in the `copyright' file. |
| 6 | 7 |
*/ |
| 7 | 8 |
|
| 8 | 9 |
/* |
| 9 | 10 |
* IMPORTS_START |
| 11 |
* IMPORT CONNECTION_TYPE |
|
| 10 | 12 |
* IMPORT handle_page_actions |
| 11 | 13 |
* IMPORT url_item |
| 12 | 14 |
* IMPORT url_extract_target |
| 13 | 15 |
* IMPORT gen_unique |
| 16 |
* IMPORT gen_nonce |
|
| 14 | 17 |
* IMPORT csp_rule |
| 15 | 18 |
* IMPORT is_privileged_url |
| 16 | 19 |
* IMPORT sanitize_attributes |
| ... | ... | |
| 113 | 116 |
|
| 114 | 117 |
let meta = document.createElement("meta");
|
| 115 | 118 |
meta.setAttribute("http-equiv", "Content-Security-Policy");
|
| 116 |
meta.setAttribute("content", csp_rule(unique));
|
|
| 119 |
meta.setAttribute("content", csp_rule(nonce));
|
|
| 117 | 120 |
|
| 118 | 121 |
if (head.firstElementChild === null) |
| 119 | 122 |
head.appendChild(meta); |
| ... | ... | |
| 123 | 126 |
|
| 124 | 127 |
if (!is_privileged_url(document.URL)) {
|
| 125 | 128 |
start_activity_info_server(); |
| 126 |
handle_page_actions(unique);
|
|
| 129 |
var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
|
|
| 127 | 130 |
|
| 128 | 131 |
if (is_http()) {
|
| 129 |
/* rely on CSP injected through webRequest */ |
|
| 132 |
/* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */ |
|
| 133 |
const nonce_capturer = msg => {
|
|
| 134 |
port.onMessage.removeListener(nonce_capturer); |
|
| 135 |
handle_page_actions(msg[1], port); |
|
| 136 |
}; |
|
| 137 |
|
|
| 138 |
port.onMessage.addListener(nonce_capturer); |
|
| 139 |
|
|
| 130 | 140 |
} else if (is_whitelisted()) {
|
| 131 |
/* do not block scripts at all */ |
|
| 141 |
/* do not block scripts at all; as a result, there is no need for a green-lighted nonce */ |
|
| 142 |
handle_page_actions(null, port); |
|
| 132 | 143 |
} else {
|
| 144 |
nonce = gen_nonce(); |
|
| 145 |
handle_page_actions(nonce, port); |
|
| 133 | 146 |
block_nodes_recursively(document.documentElement); |
| 134 | 147 |
|
| 135 | 148 |
if (is_chrome) {
|
Also available in: Unified diff
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores them by tab and frame IDs. In order to
support the increased variance in nonce-generating methods and allow them to
be loaded from the background, handle_page_actions is now invoked separately
according to (non-)blocking mechanism.