diff options
| author | hackademix | 2018-10-06 17:05:14 +0200 |
|---|---|---|
| committer | hackademix | 2018-10-06 18:13:27 +0200 |
| commit | 209d50b0c1641831b29720aa5d8854888e597ad5 (patch) | |
| tree | a90a953e4e1f0738ded2011151a47d8ca73979c1 /src/bg/ReportingCSP.js | |
| parent | c9c7b7aefea74020565b829da5370152ee0ebac5 (diff) | |
| download | noscript-209d50b0c1641831b29720aa5d8854888e597ad5.tar.gz noscript-209d50b0c1641831b29720aa5d8854888e597ad5.tar.xz noscript-209d50b0c1641831b29720aa5d8854888e597ad5.zip | |
Simplified CSP HTTP header injection, avoiding report-to until actually supported by browsers.
Diffstat (limited to 'src/bg/ReportingCSP.js')
| -rw-r--r-- | src/bg/ReportingCSP.js | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js index 03926c2..825107e 100644 --- a/src/bg/ReportingCSP.js +++ b/src/bg/ReportingCSP.js @@ -1,6 +1,13 @@ "use strict"; - + function ReportingCSP(reportURI, reportGroup) { + const REPORT_TO_SUPPORTED = false; + // TODO: figure out if we're running on a browser supporting the report-to + // CSP directive, breaking report-uri, see + // 1. https://www.w3.org/TR/CSP3/#directive-report-uri + // 2. https://bugs.chromium.org/p/chromium/issues/detail?id=726634 + // 3. https://bugzilla.mozilla.org/show_bug.cgi?id=1391243 + const REPORT_TO = { name: "Report-To", value: JSON.stringify({ "url": reportURI, @@ -9,39 +16,40 @@ function ReportingCSP(reportURI, reportGroup) { }; return Object.assign( new CapsCSP(new NetCSP( - `report-uri ${reportURI};`, - `;report-to ${reportGroup};` - )), + REPORT_TO_SUPPORTED ? `;report-to ${reportGroup};` + : `report-uri ${reportURI};` + )), { reportURI, reportGroup, patchHeaders(responseHeaders, capabilities) { let header = null; - let hasReportTo = false; + let needsReportTo = REPORT_TO_SUPPORTED; for (let h of responseHeaders) { if (this.isMine(h)) { header = h; - h.value = this.inject(h.value, ""); - } else if (h.name === REPORT_TO.name && h.value === REPORT_TO.value) { - hasReportTo = true; + h.value = ""; + } else if (needsReportTo && + h.name === REPORT_TO.name && h.value === REPORT_TO.value) { + needsReportTo = false; } } let blocker = capabilities && this.buildFromCapabilities(capabilities); if (blocker) { - if (!hasReportTo) { + if (needsReportTo) { responseHeaders.push(REPORT_TO); } if (header) { - header.value = this.inject(header.value, blocker); + header.value = blocker; } else { header = this.asHeader(blocker); responseHeaders.push(header); } } - + return header; } } ); -} +} |