Project

General

Profile

« Previous | Next » 

Revision 96068ada

Added by koszko 2 months ago

replace cookies with synchronous XmlHttpRequest as policy smuggling method.

Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.

View differences:

build.sh
180 180
	mkdir -p "$BUILDDIR"/$DIR
181 181
    done
182 182

  
183
    CHROMIUM_KEY=''
184 183
    CHROMIUM_UPDATE_URL=''
185 184
    GECKO_APPLICATIONS=''
186 185

  
......
189 188
    fi
190 189

  
191 190
    if [ "$BROWSER" = "chromium" ]; then
192
	CHROMIUM_KEY="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64)"
193
	CHROMIUM_KEY=$(echo chromium-key-dummy-file-$CHROMIUM_KEY | tr / -)
194
	touch "$BUILDDIR"/$CHROMIUM_KEY
195

  
196 191
	CHROMIUM_UPDATE_URL="$UPDATE_URL"
197

  
198
	CHROMIUM_KEY="\n\
199
	// WARNING!!!\n\
200
	// EACH USER SHOULD REPLACE DUMMY FILE's VALUE WITH A UNIQUE ONE!!!\n\
201
	// OTHERWISE, SECURITY CAN BE TRIVIALLY COMPROMISED!\n\
202
	// Only relevant to users of chrome-based browsers.\n\
203
	// Users of Firefox forks are safe.\n\
204
	\"$CHROMIUM_KEY\"\
205
"
206 192
    else
207 193
	GECKO_APPLICATIONS="\n\
208 194
    \"applications\": {\n\
......
215 201

  
216 202
    sed "\
217 203
s^_GECKO_APPLICATIONS_^$GECKO_APPLICATIONS^
218
s^_CHROMIUM_KEY_^$CHROMIUM_KEY^
219 204
s^_CHROMIUM_UPDATE_URL_^$CHROMIUM_UPDATE_URL^
220 205
s^_BGSCRIPTS_^$BGSCRIPTS^
221 206
s^_CONTENTSCRIPTS_^$CONTENTSCRIPTS^" \
......
279 264
    fi
280 265

  
281 266
    cp -r copyright licenses/ "$BUILDDIR"
267
    cp dummy "$BUILDDIR"
282 268
    cp html/*.css "$BUILDDIR"/html
283 269
    mkdir "$BUILDDIR"/icons
284 270
    cp icons/*.png "$BUILDDIR"/icons

Also available in: Unified diff