[$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

lib/csp.js

Index: lib/csp.js
diff --git a/lib/csp.js b/lib/csp.js
index 6e7656d1b552a99a74279fefe5fe037a13a89840..4995c1444908c72a2f3012552f592800df9a9329 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -17,53 +17,100 @@
 
 "use strict";
 
-// The webRequest API doesn't support WebSocket connection blocking in Microsoft
-// Edge and versions of Chrome before 58. Therefore for those we inject CSP
-// headers below as a workaround. See https://crbug.com/129353 and
-// https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10297376/
-if (!browser.webRequest.ResourceType ||
-    !("WEBSOCKET" in browser.webRequest.ResourceType))
+const {defaultMatcher} = require("matcher");
+const {BlockingFilter,
+       RegExpFilter,
+       WhitelistFilter} = require("filterClasses");
+const {getDecodedHostname, stringifyURL} = require("url");
+const {checkWhitelisted} = require("whitelisting");
+const {FilterNotifier} = require("filterNotifier");
+const devtools = require("devtools");
+
+const {typeMap} = RegExpFilter;
+
+browser.webRequest.onHeadersReceived.addListener(details =>
 {
-  const {defaultMatcher} = require("matcher");
-  const {BlockingFilter, RegExpFilter} = require("filterClasses");
-  const {getDecodedHostname} = require("url");
-  const {checkWhitelisted} = require("whitelisting");
+  // Chrome seems to sometimes give the response type of "xmlhttprequest"
+  // instead of "main_frame", but when it does the tabId is always -1 and
+  // the URL matches the initiator's URL (once normalised).
+  // https://bugs.chromium.org/p/chromium/issues/detail?id=805649
+  if (details.type == "xmlhttprequest" &&
+      (details.tabId > -1 || details.initiator &&
+       details.url != new URL(details.initiator).toString()))
+  {
+    return;
+  }
+
+  // To avoid an extra matchesAny for the common case let's assume no
+  // $genericblock filters apply when searching for a matching $csp filter,
+  // we can double check later if necessary.
+  let specificOnly = false;
+
+  let url = new URL(details.url);
+  let hostname = getDecodedHostname(url);
+  let cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,
+                                           false, null, specificOnly);
+  let page = null;
 
-  browser.webRequest.onHeadersReceived.addListener(details =>
+  if (cspMatch)
   {
-    let hostname = getDecodedHostname(new URL(details.url));
-    let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,
-                                          hostname, false, null, true);
-    if (match instanceof BlockingFilter &&
-        !checkWhitelisted(new ext.Page({id: details.tabId}),
-                          ext.getFrame(details.tabId, details.frameId)))
+    if (details.tabId > -1)
     {
-      details.responseHeaders.push({
-        name: "Content-Security-Policy",
-        // We're blocking WebSockets here by adding a connect-src restriction
-        // since the Chrome extension API does not allow us to intercept them.
-        // https://bugs.chromium.org/p/chromium/issues/detail?id=129353
-        //
-        // We also need the frame-src and object-src restrictions since CSPs
-        // are not inherited from the parent for documents with data: and blob:
-        // URLs, see https://crbug.com/513860.
-        //
-        // We must use the deprecated child-src directive instead of worker-src
-        // since that's not supported yet (as of Chrome 56.)
-        //
-        // "http:" also includes "https:" implictly.
-        // https://www.chromestatus.com/feature/6653486812889088
-        value: "connect-src http:; child-src http:; " +
-               "frame-src http:; object-src http:"
-      });
-      return {responseHeaders: details.responseHeaders};
+      page = new ext.Page({id: details.tabId, url: details.url});
+
+      if (cspMatch instanceof WhitelistFilter)
+      {
+        if (devtools)
+        {
+          devtools.logWhitelistedDocument(page, details.url, typeMap.CSP,
+                                          hostname, cspMatch);

[Sebastian Noack, 2018/03/07 17:27:07]

This is redundant, checkWhitelisted() is already calling
logWhitelistedDocument().

[Sebastian Noack, 2018/03/13 03:58:13]

What is about this comment?

[kzar, 2018/03/13 18:11:01]

Done.

+        }
+        return;
+      }
+
+      let frame = ext.getFrame(details.tabId, details.frameId);
+

[Sebastian Noack, 2018/03/07 17:27:07]

Nit: I think it reads slightly better without a blank line here. Wouldn't insist
though.

[kzar, 2018/03/13 18:11:02]

Done.

+      if (checkWhitelisted(page, frame, typeMap.DOCUMENT | typeMap.CSP))
+        return;
+
+      // We pay the price now for skipping the specificOnly check earlier, we
+      // must check again for a CSP filter, this time making sure it's specific.
+      specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK);
+      if (specificOnly)
+      {
+        cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,
+                                             false, null, specificOnly);
+        if (!(cspMatch instanceof BlockingFilter))
+          return;
+      }
+
+      FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);
+    }
+    // If we don't know the associated tab we'll have to check that if the URL
+    // is whitelisted manually. Things like $sitekey whitelisting and filter hit
+    // logging won't work, but it's the best we can do.
+    else if (cspMatch instanceof WhitelistFilter ||
+             defaultMatcher.whitelist.matchesAny(stringifyURL(url),
+                                                 typeMap.DOCUMENT | typeMap.CSP,
+                                                 hostname))
+    {
+      return;
+    }
+
+    if (devtools)

[Sebastian Noack, 2018/03/07 17:27:07]

Is this check still necessary? IIRC, require('devtools') only returned null on
Safari, where we don't include that module. Now, where we use WebPack it even
gets automatically included as soon as any other module requires it.

[Sebastian Noack, 2018/03/13 03:58:13]

What is about this comment?

[kzar, 2018/03/13 18:11:01]

Done.

+    {
+      devtools.logRequest(page, details.url, "CSP", hostname,
+                          false, null, specificOnly, cspMatch);
     }
-  }, {
-    urls: ["http://*/*", "https://*/*"],
-    // We must also intercept script requests since otherwise Web Workers can
-    // be abused to execute scripts for which our Content Security Policy
-    // won't be injected.
-    // https://github.com/gorhill/uBO-Extra/issues/19
-    types: ["main_frame", "sub_frame", "script"]
-  }, ["blocking", "responseHeaders"]);
-}
+
+    details.responseHeaders.push({
+      name: "Content-Security-Policy",
+      value: cspMatch.csp
+    });
+
+    return {responseHeaders: details.responseHeaders};
+  }
+}, {
+  urls: ["http://*/*", "https://*/*"],
+  types: ["main_frame", "sub_frame", "xmlhttprequest"]
+}, ["blocking", "responseHeaders"]);