diff options
Diffstat (limited to 'src/bg')
-rw-r--r-- | src/bg/ReportingCSP.js | 10 | ||||
-rw-r--r-- | src/bg/RequestGuard.js | 24 |
2 files changed, 26 insertions, 8 deletions
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js index 825107e..2da1bbc 100644 --- a/src/bg/ReportingCSP.js +++ b/src/bg/ReportingCSP.js @@ -25,6 +25,8 @@ function ReportingCSP(reportURI, reportGroup) { patchHeaders(responseHeaders, capabilities) { let header = null; let needsReportTo = REPORT_TO_SUPPORTED; + + let blocker = capabilities && this.buildFromCapabilities(capabilities); for (let h of responseHeaders) { if (this.isMine(h)) { header = h; @@ -32,10 +34,16 @@ function ReportingCSP(reportURI, reportGroup) { } else if (needsReportTo && h.name === REPORT_TO.name && h.value === REPORT_TO.value) { needsReportTo = false; + } else if (blocker && /^(Location|Refresh)$/i.test(h.name)) { + let url = /^R/i.test(h.name) + ? h.value.replace(/^[^,;]*[,;]url[^\w=]*=\s*/i, "") : h.value; + let patched = CSP.patchDataURI(url, blocker); + if (patched !== url) { + h.value = h.value.slice(0, -url.length) + patched; + } } } - let blocker = capabilities && this.buildFromCapabilities(capabilities); if (blocker) { if (needsReportTo) { responseHeaders.push(REPORT_TO); diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index 31d79f5..725a2bf 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -305,9 +305,10 @@ var RequestGuard = (() => { normalizeRequest(request); try { let redirected = initPendingRequest(request); - let {policy} = ns; - let policyType = policyTypesMap[request.type]; - if (policyType) { + let {policy} = ns + let {type} = request; + if (type in policyTypesMap) { + let policyType = policyTypesMap[type]; let {url, originUrl, documentUrl, tabId} = request; let isFetch = "fetch" === policyType; @@ -327,7 +328,7 @@ var RequestGuard = (() => { if (/^(?:data|blob):/.test(url)) { request._dataUrl = url; - request.url = url = documentUrl; + request.url = url = documentUrl || originUrl; } let allowed = Sites.isInternal(url); @@ -340,10 +341,19 @@ var RequestGuard = (() => { allowed = !ns.isEnforced(tabId); } if (!allowed) { - allowed = intersectCapabilities( + let capabilities = intersectCapabilities( policy.get(url, documentUrl).perms, - request - ).has(policyType); + request); + allowed = !policyType || capabilities.has(policyType); + if (allowed && request._dataUrl && type.endsWith("frame")) { + let blocker = csp.buildFromCapabilities(capabilities); + if (blocker) { + let redirectUrl = CSP.patchDataURI(request._dataUrl, blocker); + if (redirectUrl !== request._dataUrl) { + return {redirectUrl}; + } + } + } } } Content.reportTo(request, allowed, policyType); |