Project

General

Profile

« Previous | Next » 

Revision ecb78704

Added by jahoti about 2 years ago

Streamline and harden unique values/settings

The base URL is now included in the settings. The unique value no longer uses
it directly, as it is included by virtue of the settings; however, the number
of full hours since the epoch (UTC) is now incorporated.

View differences:

background/policy_injector.js
17 17 
 * IMPORT gen_nonce
18 18 
 * IMPORT url_item
19 19 
 * IMPORT url_extract_policy
20 
 * IMPORT sign_policy
20 21 
 * IMPORT get_query_best
21 22 
 * IMPORT csp_rule
22 23 
 * IMPORTS_END
......
46 47 
function url_inject(details)
47 48 
{
48 49 
    const targets = url_extract_policy(details.url);
49 
    if (targets.valid_sig) {
50 
    if (targets.current) {
50 51 
	return;
51 52 
    } else if (targets.policy) {
52 53 
	/* Redirect; update policy */
......
59 60 
	/* Defaults */
60 61 
	settings = {};
61 62
62 
    const policy = {allow: settings.allow, nonce: gen_nonce()};
63 
    const policy_string = encodeURIComponent(JSON.stringify(policy));
64 
    const sig = gen_unique(policy_string + targets.base_url);
63 
    const policy = encodeURIComponent(
64 
	JSON.stringify({
65 
	    allow: settings.allow,
66 
	    nonce: gen_nonce(),
67 
	    base_url: targets.base_url
68 
	})
69 
    );
65 70
66 
    let redirect_url = targets.base_url + '#' + sig + policy_string;
71 
    let redirect_url = targets.base_url;
72 
    redirect_url += '#' + sign_policy(policy, new Date()) + policy;
67 73 
    if (targets.target)
68 74 
	redirect_url += targets.target;
69 75 
    if (targets.target2)
......
75 81 
function inject(details)
76 82 
{
77 83 
    const targets = url_extract_policy(details.url);
78 
    if (!targets.valid_sig)
79 
	/* Block unsigned requests */
84 
    if (!targets.current)
85 
	/* Block mis-/unsigned requests */
80 86 
	return {cancel: true};
81 87 

  		




  82
  88
  
    
    const rule = csp_rule(targets.policy.nonce);


  		




  83
  
  
    

  		




  84
  89
  
    
    var headers = details.responseHeaders;


  		




  85
  90
  
    

  		




  86
  91
  
    
    if (!targets.policy.allow || is_mozilla)


  		












  

    
      common/misc.js
    
  





  104
  104
  
    
    return !!/^(chrome(-extension)?|moz-extension):\/\/|^about:/i.exec(url);


  		




  105
  105
  
    
}


  		




  106
  106
  
    

  		




  
  107
  
    
/* Sign a given policy for a given time */


  		




  
  108
  
    
function sign_policy(policy, now, hours_offset) {


  		




  
  109
  
    
    let time = Math.floor(now / 3600000) + (hours_offset || 0);


  		




  
  110
  
    
    return gen_unique(time + policy);


  		




  
  111
  
    
}


  		




  
  112
  
    

  		




  107
  113
  
    
/* Extract any policy present in the URL */


  		




  108
  114
  
    
function url_extract_policy(url)


  		




  109
  115
  
    
{


  		




  110
  
  
    
    var policy_string;


  		




  111
  116
  
    
    const targets = url_extract_target(url);


  		




  
  117
  
    
    if (!targets.target)


  		




  
  118
  
    
	return targets;


  		




  
  119
  
    

  		




  
  120
  
    
    /* %7B -> { */


  		




  
  121
  
    
    const index = targets.target.indexOf('%7B');


  		




  
  122
  
    
    if (index === -1)


  		




  
  123
  
    
	return targets;


  		




  
  124
  
    
    


  		




  
  125
  
    
    const now = new Date();


  		




  
  126
  
    
    const sig = targets.target.substring(1, index);


  		




  
  127
  
    
    const policy = targets.target.substring(index);


  		




  
  128
  
    
    if (


  		




  
  129
  
    
	sig !== sign_policy(policy, now) &&


  		




  
  130
  
    
	sig !== sign_policy(policy, now, -1) &&


  		




  
  131
  
    
	sig !== sign_policy(policy, now, 1)


  		




  
  132
  
    
    )


  		




  
  133
  
    
	return targets;


  		




  112
  134
  
    
    


  		




  113
  135
  
    
    try {


  		




  114
  
  
    
	policy_string = targets.target.substring(65);


  		




  115
  
  
    
	targets.policy = JSON.parse(decodeURIComponent(policy_string));


  		




  
  136
  
    
	targets.policy = JSON.parse(decodeURIComponent(policy));


  		




  
  137
  
    
	targets.current = targets.policy.base_url === targets.base_url;


  		




  116
  138
  
    
    } catch (e) {


  		




  117
  139
  
    
	/* TODO what should happen here? */


  		




  118
  140
  
    
    }


  		




  119
  
  
    
    


  		




  120
  
  
    
    if (targets.policy) {


  		




  121
  
  
    
	const sig = gen_unique(policy_string + targets.base_url);


  		




  122
  
  
    
	targets.valid_sig = targets.target.substring(1, 65) === sig;


  		




  123
  
  
    
    }


  		




  124
  141
  
    

  		




  125
  142
  
    
    return targets;


  		




  126
  143
  
    
}


  		




  ......




  132
  149
  
    
 * EXPORT url_item


  		




  133
  150
  
    
 * EXPORT url_extract_target


  		




  134
  151
  
    
 * EXPORT url_extract_policy


  		




  
  152
  
    
 * EXPORT sign_policy


  		




  135
  153
  
    
 * EXPORT csp_rule


  		




  136
  154
  
    
 * EXPORT nice_name


  		




  137
  155
  
    
 * EXPORT open_in_settings


  		












  

    
      content/main.js
    
  





  107
  107
  
    
	    history.replaceState(null, "", targets.base_url);


  		




  108
  108
  
    
    }


  		




  109
  109
  
    
    


  		




  110
  
  
    
    targets.policy = targets.valid_sig ? targets.policy : {};


  		




  
  110
  
    
    targets.policy = targets.current ? targets.policy : {};


  		




  111
  111
  
    
    


  		




  112
  112
  
    
    const nonce = targets.policy.nonce || gen_nonce();


  		




  113
  113
  
    
    start_activity_info_server();


  		












Also available in:  Unified diff