summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorhackademix2018-08-26 17:43:01 +0200
committerhackademix2018-08-27 18:55:00 +0200
commit6e80d3f130773fc9a9123c5c4c2e97d63e90fa2a (patch)
treeed610783c9f36b5625179bff318194bd118c53f0 /src
parente82e961dd75401cd78c5b46c7dde4e197557b385 (diff)
downloadnoscript-6e80d3f130773fc9a9123c5c4c2e97d63e90fa2a.tar.gz
noscript-6e80d3f130773fc9a9123c5c4c2e97d63e90fa2a.tar.xz
noscript-6e80d3f130773fc9a9123c5c4c2e97d63e90fa2a.zip
Let content script inject failsafe CSP in the DOM.
Diffstat (limited to 'src')
-rw-r--r--src/content/DocumentCSP.js26
-rw-r--r--src/content/content.js11
-rw-r--r--src/manifest.json3
3 files changed, 38 insertions, 2 deletions
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
new file mode 100644
index 0000000..228b2a2
--- /dev/null
+++ b/src/content/DocumentCSP.js
@@ -0,0 +1,26 @@
+'use strict';
+
+class DocumentCSP {
+ constructor(document) {
+ this.document = document;
+ this.builder = new CapsCSP();
+ }
+
+ apply(capabilities) {
+ let csp = this.builder;
+ let blocker = csp.buildFromCapabilities(capabilities);
+ if (!blocker) return;
+
+ let document = this.document;
+ let header = csp.asHeader(blocker);
+ let meta = document.createElementNS("http://www.w3.org/1999/xhtml", "meta");
+ meta.setAttribute("http-equiv", header.name);
+ meta.setAttribute("content", header.value);
+ let parent = document.head || document.documentElement;
+ try {
+ parent.insertBefore(meta, parent.firstChild);
+ } catch (e) {
+ error(e, "Error inserting CSP %s in the DOM", header && header.value);
+ }
+ }
+}
diff --git a/src/content/content.js b/src/content/content.js
index 8ab3654..a5d996d 100644
--- a/src/content/content.js
+++ b/src/content/content.js
@@ -61,14 +61,21 @@
if (!this.perms.DEFAULT || this.perms.tabInfo.unrestricted) {
this.allows = () => true;
+ this.capabilities = Object.assign(
+ new Set(["script"]), { has() { return true; } });
+ } else {
+ let perms = this.perms.CURRENT || this.perms.DEFAULT;
+ this.capabilities = new Set(perms.capabilities);
+ new DocumentCSP(document).apply(this.capabilities);
}
ns.fire("perms");
},
perms: { DEFAULT: null, CURRENT: null, tabInfo: {}, MARKER: "" },
+
allows(cap) {
- let perms = this.perms.CURRENT;
- return perms && perms.capabilities.includes(cap);
+ return this.capabilities && this.capabilities.has(cap);
},
+
getWindowName() {
return top !== window || !this.perms.MARKER ? window.name
: window.name.split(this.perms.MARKER + ",").pop();
diff --git a/src/manifest.json b/src/manifest.json
index 5870812..143a776 100644
--- a/src/manifest.json
+++ b/src/manifest.json
@@ -67,6 +67,9 @@
"js": [
"lib/log.js",
"lib/Messages.js",
+ "lib/CSP.js",
+ "common/CapsCSP.js",
+ "content/DocumentCSP.js",
"content/onScriptDisabled.js",
"content/content.js",
"content/webglHook.js",