Haketilo

/**

 * Hachette injecting policy to page using webRequest

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Copyright (C) 2021 jahoti

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT TYPE_PREFIX

 * IMPORT get_storage

 * IMPORT browser

 * IMPORT is_chrome

 * IMPORT gen_unique

 * IMPORT gen_nonce

 * IMPORT is_privileged_url

 * IMPORT url_extract_target

 * IMPORT sign_policy

 * IMPORT get_query_best

 * IMPORT parse_csp

 * IMPORTS_END

 */

var storage;

var query_best;

const csp_header_names = {

    "content-security-policy" : true,

    "x-webkit-csp" : true,

    "x-content-security-policy" : true

};

const unwanted_csp_directives = {

    "report-to" : true,

    "report-uri" : true,

    "script-src" : true,

    "script-src-elem" : true,

    "prefetch-src": true

};

const header_name = "content-security-policy";

function not_csp_header(header)

{

    return !csp_header_names[header.name.toLowerCase()];

}

function url_inject(details)

{

    if (is_privileged_url(details.url))

	return;

    const targets = url_extract_target(details.url);

    if (targets.current)

	return;

    /* Redirect; update policy */

    if (targets.policy)

	targets.target = "";

    let [pattern, settings] = query_best(targets.base_url);

    /* Defaults */

    if (!pattern)

	settings = {};

    const policy = encodeURIComponent(

	JSON.stringify({

	    allow: settings.allow,

	    nonce: gen_nonce(),

	    base_url: targets.base_url

	})

    );

    return {

	redirectUrl: [

	    targets.base_url,

	    '#', sign_policy(policy, new Date()), policy,

	    targets.target,

	    targets.target2

	].join("")

    };

}

function headers_inject(details)

{

    const targets = url_extract_target(details.url);

    /* Block mis-/unsigned requests */

    if (!targets.current)

	return {cancel: true};

    const headers = [];

    for (let header of details.responseHeaders) {

	if (not_csp_header(header)) {

	    /* Retain all non-snitching headers */

	    if (header.name.toLowerCase() !==

	        'content-security-policy-report-only')

		headers.push(header);

	    continue;

	}

	const csp = parse_csp(header.value);

	const rule = `'nonce-${targets.policy.nonce}'`

	/* TODO: confirm deleting non-existent things is OK everywhere */

	/* No snitching or prefetching/rendering */

	delete csp['report-to'];

	delete csp['report-uri'];

	if (!targets.policy.allow) {

	    delete csp['script-src'];

	    delete csp['script-src-elem'];

	    csp['script-src-attr'] = ["'none'"];

	    csp['prefetch-src'] = ["'none'"];

	}

	if ('script-src' in csp)

	    csp['script-src'].push(rule);

	else

	    csp['script-src'] = [rule];

	if ('script-src-elem' in csp)

	    csp['script-src-elem'].push(rule);

	else

	    csp['script-src-elem'] = [rule];

	/* TODO: is this safe */

	let new_policy = Object.entries(csp).map(

	    i => i[0] + ' ' + i[1].join(' ') + ';'

	);

	headers.push({name: header.name, value: new_policy.join('')});

    }

    return {responseHeaders: headers};

}

async function start_policy_injector()

{

    storage = await get_storage();

    query_best = await get_query_best();

    let extra_opts = ["blocking", "responseHeaders"];

    if (is_chrome)

	extra_opts.push("extraHeaders");

    browser.webRequest.onBeforeRequest.addListener(

	url_inject,

	{

	    urls: ["<all_urls>"],

	    types: ["main_frame", "sub_frame"]

	},

	["blocking"]

    );

    browser.webRequest.onHeadersReceived.addListener(

	headers_inject,

	{

	    urls: ["<all_urls>"],

	    types: ["main_frame", "sub_frame"]

	},

	extra_opts

    );

}

/*

 * EXPORTS_START

 * EXPORT start_policy_injector

 * EXPORTS_END

 */