diff options
| author | hackademix | 2018-08-24 22:14:38 +0200 |
|---|---|---|
| committer | hackademix | 2018-08-24 22:14:38 +0200 |
| commit | fc92be83c323cf07f2b0f116b9c6436d0b21ea54 (patch) | |
| tree | 09501aee220497c38c0929ae07bb640ae39242f8 /src/bg | |
| parent | 1ce446f871ec0ccd8899c6513006548987829204 (diff) | |
| download | noscript-fc92be83c323cf07f2b0f116b9c6436d0b21ea54.tar.gz noscript-fc92be83c323cf07f2b0f116b9c6436d0b21ea54.tar.xz noscript-fc92be83c323cf07f2b0f116b9c6436d0b21ea54.zip | |
Fixed minor CSP buildig issues.
Diffstat (limited to 'src/bg')
| -rw-r--r-- | src/bg/RequestGuard.js | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index afadcda..9f28116 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -13,7 +13,7 @@ var RequestGuard = (() => { const CSP = { name: "content-security-policy", start: `report-uri ${REPORT_URI};`, - end: `;report-to ${REPORT_URI};`, + end: `;report-to ${REPORT_GROUP};`, isMine(header) { let {name, value} = header; if (name.toLowerCase() !== CSP.name) return false; @@ -386,13 +386,16 @@ var RequestGuard = (() => { try { let header, blocker; - let content = {} + let content = {}; + let hasReportTo = false; for (let h of responseHeaders) { if (CSP.isMine(h)) { header = h; h.value = CSP.inject(h.value, ""); } else if (/^\s*Content-(Type|Disposition)\s*$/i.test(h.name)) { content[RegExp.$1.toLowerCase()] = h.value; + } else if (h.name === REPORT_TO.name && h.value === REPORT_TO.value) { + hasReportTo = true; } } @@ -417,7 +420,7 @@ var RequestGuard = (() => { let canScript = capabilities.has("script"); let blockedTypes; - let forbidData = FORBID_DATAURI_TYPES.filter(t => !capabilities.has(t)); + let forbidData = new Set(FORBID_DATAURI_TYPES.filter(t => !capabilities.has(t))); if (!content.disposition && (!content.type || /^\s*(?:video|audio|application)\//.test(content.type))) { debug(`Suspicious content type "%s" in request %o with capabilities %o`, @@ -425,10 +428,11 @@ var RequestGuard = (() => { blockedTypes = CSP.types.filter(t => !capabilities.has(t)); } else if(!canScript) { blockedTypes = ["script"]; - forbidData.push("object"); // data: URIs loaded in objects may run scripts + forbidData.add("object"); // data: URIs loaded in objects may run scripts } for (let type of forbidData) { // object, font, media + if (blockedTypes.includes(type)) continue; // HTTP is blocked in onBeforeRequest, let's allow it only and block // for instance data: and blob: URIs let dataBlocker = {name: type, value: "http: https:"}; @@ -459,6 +463,9 @@ var RequestGuard = (() => { if (header) { pending.cspHeader = header; + if (!hasReportTo) { + responseHeaders.push(REPORT_TO); + } return {responseHeaders}; } } catch (e) { |