Revision dcfc78b0
Added by jahoti about 2 years ago
content/main.js | ||
---|---|---|
2 | 2 |
* Myext main content script run in all frames |
3 | 3 |
* |
4 | 4 |
* Copyright (C) 2021 Wojtek Kosior |
5 |
* Copyright (C) 2021 jahoti |
|
5 | 6 |
* Redistribution terms are gathered in the `copyright' file. |
6 | 7 |
*/ |
7 | 8 |
|
8 | 9 |
/* |
9 | 10 |
* IMPORTS_START |
11 |
* IMPORT CONNECTION_TYPE |
|
10 | 12 |
* IMPORT handle_page_actions |
11 | 13 |
* IMPORT url_item |
12 | 14 |
* IMPORT url_extract_target |
13 | 15 |
* IMPORT gen_unique |
16 |
* IMPORT gen_nonce |
|
14 | 17 |
* IMPORT csp_rule |
15 | 18 |
* IMPORT is_privileged_url |
16 | 19 |
* IMPORT sanitize_attributes |
... | ... | |
113 | 116 |
|
114 | 117 |
let meta = document.createElement("meta"); |
115 | 118 |
meta.setAttribute("http-equiv", "Content-Security-Policy"); |
116 |
meta.setAttribute("content", csp_rule(unique));
|
|
119 |
meta.setAttribute("content", csp_rule(nonce));
|
|
117 | 120 |
|
118 | 121 |
if (head.firstElementChild === null) |
119 | 122 |
head.appendChild(meta); |
... | ... | |
123 | 126 |
|
124 | 127 |
if (!is_privileged_url(document.URL)) { |
125 | 128 |
start_activity_info_server(); |
126 |
handle_page_actions(unique);
|
|
129 |
var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
|
|
127 | 130 |
|
128 | 131 |
if (is_http()) { |
129 |
/* rely on CSP injected through webRequest */ |
|
132 |
/* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */ |
|
133 |
const nonce_capturer = msg => { |
|
134 |
port.onMessage.removeListener(nonce_capturer); |
|
135 |
handle_page_actions(msg[1], port); |
|
136 |
}; |
|
137 |
|
|
138 |
port.onMessage.addListener(nonce_capturer); |
|
139 |
|
|
130 | 140 |
} else if (is_whitelisted()) { |
131 |
/* do not block scripts at all */ |
|
141 |
/* do not block scripts at all; as a result, there is no need for a green-lighted nonce */ |
|
142 |
handle_page_actions(null, port); |
|
132 | 143 |
} else { |
144 |
nonce = gen_nonce(); |
|
145 |
handle_page_actions(nonce, port); |
|
133 | 146 |
block_nodes_recursively(document.documentElement); |
134 | 147 |
|
135 | 148 |
if (is_chrome) { |
Also available in: Unified diff
Stop using the nonce consistently for a URL
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages)
or by a background module which stores them by tab and frame IDs. In order to
support the increased variance in nonce-generating methods and allow them to
be loaded from the background, handle_page_actions is now invoked separately
according to (non-)blocking mechanism.