diff options
author | hackademix | 2018-08-26 16:33:40 +0200 |
---|---|---|
committer | hackademix | 2018-08-27 18:55:00 +0200 |
commit | e82e961dd75401cd78c5b46c7dde4e197557b385 (patch) | |
tree | 5cc55fe0176f8a29e59510035494d7594cee40df /src/common | |
parent | b5d7266c504bef59c584dec0a1f7e09895ba0469 (diff) | |
download | noscript-e82e961dd75401cd78c5b46c7dde4e197557b385.tar.gz noscript-e82e961dd75401cd78c5b46c7dde4e197557b385.tar.xz noscript-e82e961dd75401cd78c5b46c7dde4e197557b385.zip |
Refactoring CSP building out of RequestGuard.
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/CapsCSP.js | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/common/CapsCSP.js b/src/common/CapsCSP.js new file mode 100644 index 0000000..17a949c --- /dev/null +++ b/src/common/CapsCSP.js @@ -0,0 +1,30 @@ +"use strict"; + +function CapsCSP(baseCSP = new CSP()) { + return Object.assign(baseCSP, { + types: ["script", "object", "media"], + dataUriTypes: ["font", "media", "object"], + buildFromCapabilities(capabilities, netBlocker = false) { + let forbidData = new Set(this.dataUriTypes.filter(t => !capabilities.has(t))); + let blockedTypes; + if (netBlocker) { + blockedTypes = new Set(this.types.filter(t => !capabilities.has(t))); + } else if(!capabilities.has("script")) { + blockedTypes = new Set(["script"]); + forbidData.add("object"); // data: URIs loaded in objects may run scripts + } else { + blockedTypes = new Set(); + } + + for (let type of forbidData) { + if (blockedTypes.has(type)) continue; + // HTTP is blocked in onBeforeRequest, let's allow it only and block + // for instance data: and blob: URIs + let dataBlocker = {name: type, value: "http: https:"}; + blockedTypes.add(dataBlocker) + } + + return blockedTypes.size ? this.buildBlocker(...blockedTypes) : null; + } + }); +} |