Project

General

Profile

« Previous | Next » 

Revision f8dedf60

Added by koszko about 1 year ago

allow eval() in injected scripts

View differences:

common/policy.js
49 49 
 * CSP rule that either blocks all scripts or only allows scripts with specified
50 50 
 * nonce attached.
51 51 
 */
52 
function make_csp(nonce)
53 
{
54 
    const rule = nonce ? `nonce-${nonce}` : "none";
52 
function make_csp(nonce) {
53 
    const rule = nonce ? `'nonce-${nonce}'` : "'none'";
55 54 
    const csp_list = [
56 
	["prefetch-src",    "none"],
57 
	["script-src-attr", "none"],
58 
	["script-src",      rule],
55 
	["prefetch-src",    "'none'"],
56 
	["script-src-attr", "'none'"],
57 
	["script-src",      rule, "'unsafe-eval'"],
59 58 
	["script-src-elem", rule]
60 59 
    ];
61 
    return csp_list.map(([a, b]) => `${a} '${b}';`).join(" ");
60 
    return csp_list.map(words => `${words.join(" ")};`).join(" ");
62 61 
}
63 62 

  		




  64
  63
  
    
function decide_policy(patterns_tree, url, default_allow, secret)


  		




  ......




  113
  112
  
    
#EXPORT decide_policy


  		




  114
  113
  
    

  		




  115
  114
  
    
#EXPORT  () => ({allow: false, csp: make_csp()})  AS fallback_policy


  		




  
  115
  
    

  		




  
  116
  
    
#IF NEVER


  		




  
  117
  
    

  		




  
  118
  
    
/*


  		




  
  119
  
    
 * Note: the functions below were overeagerly written and are not used now but


  		




  
  120
  
    
 * might prove useful to once we add more functionalities and are hence kept...


  		




  
  121
  
    
 */


  		




  
  122
  
    

  		




  
  123
  
    
function relaxed_csp_eval(csp) {


  		




  
  124
  
    
    const new_csp_list = [];


  		




  
  125
  
    

  		




  
  126
  
    
    for (const directive of csp.split(";")) {


  		




  
  127
  
    
	const directive_words = directive.trim().split(" ");


  		




  
  128
  
    
	if (directive_words[0] === "script-src")


  		




  
  129
  
    
	    directive_words.push("'unsafe-eval'");


  		




  
  130
  
    

  		




  
  131
  
    
	new_csp_list.push(directive_words);


  		




  
  132
  
    
    }


  		




  
  133
  
    

  		




  
  134
  
    
    new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" ");


  		




  
  135
  
    
}


  		




  
  136
  
    

  		




  
  137
  
    
function relax_policy_eval(policy) {


  		




  
  138
  
    
    const new_policy = Object.assign({}, policy);


  		




  
  139
  
    

  		




  
  140
  
    
    return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)});


  		




  
  141
  
    
}


  		




  
  142
  
    
#EXPORT relax_policy_eval


  		




  
  143
  
    

  		




  
  144
  
    
#ENDIF


  		












Also available in:  Unified diff