summaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
authorhackademix2018-08-26 16:33:40 +0200
committerhackademix2018-08-27 18:55:00 +0200
commite82e961dd75401cd78c5b46c7dde4e197557b385 (patch)
tree5cc55fe0176f8a29e59510035494d7594cee40df /src/common
parentb5d7266c504bef59c584dec0a1f7e09895ba0469 (diff)
downloadnoscript-e82e961dd75401cd78c5b46c7dde4e197557b385.tar.gz
noscript-e82e961dd75401cd78c5b46c7dde4e197557b385.tar.xz
noscript-e82e961dd75401cd78c5b46c7dde4e197557b385.zip
Refactoring CSP building out of RequestGuard.
Diffstat (limited to 'src/common')
-rw-r--r--src/common/CapsCSP.js30
1 files changed, 30 insertions, 0 deletions
diff --git a/src/common/CapsCSP.js b/src/common/CapsCSP.js
new file mode 100644
index 0000000..17a949c
--- /dev/null
+++ b/src/common/CapsCSP.js
@@ -0,0 +1,30 @@
+"use strict";
+
+function CapsCSP(baseCSP = new CSP()) {
+ return Object.assign(baseCSP, {
+ types: ["script", "object", "media"],
+ dataUriTypes: ["font", "media", "object"],
+ buildFromCapabilities(capabilities, netBlocker = false) {
+ let forbidData = new Set(this.dataUriTypes.filter(t => !capabilities.has(t)));
+ let blockedTypes;
+ if (netBlocker) {
+ blockedTypes = new Set(this.types.filter(t => !capabilities.has(t)));
+ } else if(!capabilities.has("script")) {
+ blockedTypes = new Set(["script"]);
+ forbidData.add("object"); // data: URIs loaded in objects may run scripts
+ } else {
+ blockedTypes = new Set();
+ }
+
+ for (let type of forbidData) {
+ if (blockedTypes.has(type)) continue;
+ // HTTP is blocked in onBeforeRequest, let's allow it only and block
+ // for instance data: and blob: URIs
+ let dataBlocker = {name: type, value: "http: https:"};
+ blockedTypes.add(dataBlocker)
+ }
+
+ return blockedTypes.size ? this.buildBlocker(...blockedTypes) : null;
+ }
+ });
+}