Revision f8dedf60
Added by koszko about 1 year ago
common/policy.js | ||
---|---|---|
49 | 49 |
* CSP rule that either blocks all scripts or only allows scripts with specified |
50 | 50 |
* nonce attached. |
51 | 51 |
*/ |
52 |
function make_csp(nonce) |
|
53 |
{ |
|
54 |
const rule = nonce ? `nonce-${nonce}` : "none"; |
|
52 |
function make_csp(nonce) { |
|
53 |
const rule = nonce ? `'nonce-${nonce}'` : "'none'"; |
|
55 | 54 |
const csp_list = [ |
56 |
["prefetch-src", "none"],
|
|
57 |
["script-src-attr", "none"],
|
|
58 |
["script-src", rule], |
|
55 |
["prefetch-src", "'none'"],
|
|
56 |
["script-src-attr", "'none'"],
|
|
57 |
["script-src", rule, "'unsafe-eval'"],
|
|
59 | 58 |
["script-src-elem", rule] |
60 | 59 |
]; |
61 |
return csp_list.map(([a, b]) => `${a} '${b}';`).join(" ");
|
|
60 |
return csp_list.map(words => `${words.join(" ")};`).join(" ");
|
|
62 | 61 |
} |
63 | 62 |
|
64 | 63 |
function decide_policy(patterns_tree, url, default_allow, secret) |
... | ... | |
113 | 112 |
#EXPORT decide_policy |
114 | 113 |
|
115 | 114 |
#EXPORT () => ({allow: false, csp: make_csp()}) AS fallback_policy |
115 |
|
|
116 |
#IF NEVER |
|
117 |
|
|
118 |
/* |
|
119 |
* Note: the functions below were overeagerly written and are not used now but |
|
120 |
* might prove useful to once we add more functionalities and are hence kept... |
|
121 |
*/ |
|
122 |
|
|
123 |
function relaxed_csp_eval(csp) { |
|
124 |
const new_csp_list = []; |
|
125 |
|
|
126 |
for (const directive of csp.split(";")) { |
|
127 |
const directive_words = directive.trim().split(" "); |
|
128 |
if (directive_words[0] === "script-src") |
|
129 |
directive_words.push("'unsafe-eval'"); |
|
130 |
|
|
131 |
new_csp_list.push(directive_words); |
|
132 |
} |
|
133 |
|
|
134 |
new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" "); |
|
135 |
} |
|
136 |
|
|
137 |
function relax_policy_eval(policy) { |
|
138 |
const new_policy = Object.assign({}, policy); |
|
139 |
|
|
140 |
return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)}); |
|
141 |
} |
|
142 |
#EXPORT relax_policy_eval |
|
143 |
|
|
144 |
#ENDIF |
Also available in: Unified diff
allow eval() in injected scripts