"use strict"; function ReportingCSP(reportURI, reportGroup) { const REPORT_TO_SUPPORTED = false; // TODO: figure out if we're running on a browser supporting the report-to // CSP directive, breaking report-uri, see // 1. https://www.w3.org/TR/CSP3/#directive-report-uri // 2. https://bugs.chromium.org/p/chromium/issues/detail?id=726634 // 3. https://bugzilla.mozilla.org/show_bug.cgi?id=1391243 const REPORT_TO = { name: "Report-To", value: JSON.stringify({ "url": reportURI, "group": reportGroup, "max-age": 10886400 }), }; return Object.assign( new CapsCSP(new NetCSP( REPORT_TO_SUPPORTED ? `;report-to ${reportGroup};` : `report-uri ${reportURI};` )), { reportURI, reportGroup, patchHeaders(responseHeaders, capabilities) { let header = null; let needsReportTo = REPORT_TO_SUPPORTED; let blocker = capabilities && this.buildFromCapabilities(capabilities); responseHeaders.forEach((h, index) => { if (this.isMine(h)) { header = h; responseHeaders.splice(index, 1); } else if (needsReportTo && h.name === REPORT_TO.name && h.value === REPORT_TO.value) { needsReportTo = false; } else if (blocker && /^(Location|Refresh)$/i.test(h.name)) { // neutralize any HTTP redirection to data: URLs, like Chromium let url = /^R/i.test(h.name) ? h.value.replace(/^[^,;]*[,;](?:\W*url[^=]*=)?[^!#$%&()*+,/:;=?@[\]\w.,~-]*/i, "") : h.value; if (/^data:/i.test(url)) { h.value = h.value.slice(0, -url.length) + "data:"; } } }); if (blocker) { if (needsReportTo) { responseHeaders.push(REPORT_TO); } header = this.asHeader(blocker); responseHeaders.push(header); } return header; } } ); }