From 209d50b0c1641831b29720aa5d8854888e597ad5 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sat, 6 Oct 2018 17:05:14 +0200 Subject: Simplified CSP HTTP header injection, avoiding report-to until actually supported by browsers. --- src/bg/ReportingCSP.js | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'src/bg') diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js index 03926c2..825107e 100644 --- a/src/bg/ReportingCSP.js +++ b/src/bg/ReportingCSP.js @@ -1,6 +1,13 @@ "use strict"; - + function ReportingCSP(reportURI, reportGroup) { + const REPORT_TO_SUPPORTED = false; + // TODO: figure out if we're running on a browser supporting the report-to + // CSP directive, breaking report-uri, see + // 1. https://www.w3.org/TR/CSP3/#directive-report-uri + // 2. https://bugs.chromium.org/p/chromium/issues/detail?id=726634 + // 3. https://bugzilla.mozilla.org/show_bug.cgi?id=1391243 + const REPORT_TO = { name: "Report-To", value: JSON.stringify({ "url": reportURI, @@ -9,39 +16,40 @@ function ReportingCSP(reportURI, reportGroup) { }; return Object.assign( new CapsCSP(new NetCSP( - `report-uri ${reportURI};`, - `;report-to ${reportGroup};` - )), + REPORT_TO_SUPPORTED ? `;report-to ${reportGroup};` + : `report-uri ${reportURI};` + )), { reportURI, reportGroup, patchHeaders(responseHeaders, capabilities) { let header = null; - let hasReportTo = false; + let needsReportTo = REPORT_TO_SUPPORTED; for (let h of responseHeaders) { if (this.isMine(h)) { header = h; - h.value = this.inject(h.value, ""); - } else if (h.name === REPORT_TO.name && h.value === REPORT_TO.value) { - hasReportTo = true; + h.value = ""; + } else if (needsReportTo && + h.name === REPORT_TO.name && h.value === REPORT_TO.value) { + needsReportTo = false; } } let blocker = capabilities && this.buildFromCapabilities(capabilities); if (blocker) { - if (!hasReportTo) { + if (needsReportTo) { responseHeaders.push(REPORT_TO); } if (header) { - header.value = this.inject(header.value, blocker); + header.value = blocker; } else { header = this.asHeader(blocker); responseHeaders.push(header); } } - + return header; } } ); -} +} -- cgit v1.2.3