summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorhackademix2018-10-06 17:05:14 +0200
committerhackademix2018-10-06 18:13:27 +0200
commit209d50b0c1641831b29720aa5d8854888e597ad5 (patch)
treea90a953e4e1f0738ded2011151a47d8ca73979c1 /src
parentc9c7b7aefea74020565b829da5370152ee0ebac5 (diff)
downloadnoscript-209d50b0c1641831b29720aa5d8854888e597ad5.tar.gz
noscript-209d50b0c1641831b29720aa5d8854888e597ad5.tar.xz
noscript-209d50b0c1641831b29720aa5d8854888e597ad5.zip
Simplified CSP HTTP header injection, avoiding report-to until actually supported by browsers.
Diffstat (limited to 'src')
-rw-r--r--src/bg/ReportingCSP.js32
-rw-r--r--src/lib/NetCSP.js22
2 files changed, 25 insertions, 29 deletions
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js
index 03926c2..825107e 100644
--- a/src/bg/ReportingCSP.js
+++ b/src/bg/ReportingCSP.js
@@ -1,6 +1,13 @@
"use strict";
-
+
function ReportingCSP(reportURI, reportGroup) {
+ const REPORT_TO_SUPPORTED = false;
+ // TODO: figure out if we're running on a browser supporting the report-to
+ // CSP directive, breaking report-uri, see
+ // 1. https://www.w3.org/TR/CSP3/#directive-report-uri
+ // 2. https://bugs.chromium.org/p/chromium/issues/detail?id=726634
+ // 3. https://bugzilla.mozilla.org/show_bug.cgi?id=1391243
+
const REPORT_TO = {
name: "Report-To",
value: JSON.stringify({ "url": reportURI,
@@ -9,39 +16,40 @@ function ReportingCSP(reportURI, reportGroup) {
};
return Object.assign(
new CapsCSP(new NetCSP(
- `report-uri ${reportURI};`,
- `;report-to ${reportGroup};`
- )),
+ REPORT_TO_SUPPORTED ? `;report-to ${reportGroup};`
+ : `report-uri ${reportURI};`
+ )),
{
reportURI,
reportGroup,
patchHeaders(responseHeaders, capabilities) {
let header = null;
- let hasReportTo = false;
+ let needsReportTo = REPORT_TO_SUPPORTED;
for (let h of responseHeaders) {
if (this.isMine(h)) {
header = h;
- h.value = this.inject(h.value, "");
- } else if (h.name === REPORT_TO.name && h.value === REPORT_TO.value) {
- hasReportTo = true;
+ h.value = "";
+ } else if (needsReportTo &&
+ h.name === REPORT_TO.name && h.value === REPORT_TO.value) {
+ needsReportTo = false;
}
}
let blocker = capabilities && this.buildFromCapabilities(capabilities);
if (blocker) {
- if (!hasReportTo) {
+ if (needsReportTo) {
responseHeaders.push(REPORT_TO);
}
if (header) {
- header.value = this.inject(header.value, blocker);
+ header.value = blocker;
} else {
header = this.asHeader(blocker);
responseHeaders.push(header);
}
}
-
+
return header;
}
}
);
-}
+}
diff --git a/src/lib/NetCSP.js b/src/lib/NetCSP.js
index 90ef8ad..bb6ec61 100644
--- a/src/lib/NetCSP.js
+++ b/src/lib/NetCSP.js
@@ -1,32 +1,20 @@
"use strict";
class NetCSP extends CSP {
- constructor(start, end) {
+ constructor(start) {
super();
this.start = start;
- this.end = end;
}
-
+
isMine(header) {
let {name, value} = header;
- if (name.toLowerCase() !== CSP.headerName) return false;
- let startIdx = value.indexOf(this.start);
- return startIdx > -1 && startIdx < value.lastIndexOf(this.end);
+ return name.toLowerCase() === CSP.headerName && value.startsWith(this.start);
}
-
- inject(headerValue, mine) {
- let startIdx = headerValue.indexOf(this.start);
- if (startIdx < 0) return `${headerValue};${mine}`;
- let endIdx = headerValue.lastIndexOf(this.end);
- let retValue = `${headerValue.substring(0, startIdx)}${mine}`;
- return endIdx < 0 ? retValue : `${retValue}${headerValue.substring(endIdx + this.end.length + 1)}`;
- }
-
build(...directives) {
- return `${this.start}${super.build(...directives)}${this.end}`;
+ return `${this.start}${super.build(...directives)}`;
}
-
+
cleanup(headers) {
}
}