Unified Diff: lib/csp.js
Issue 29394585:
Issue 5027 - Use updated webRequest API for WebSocket blocking (Closed)
Patch Set: addresses bad comments, and actually fixes requestBlocker logic
Created March 28, 2017, 7:18 p.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« chrome/ext/background.js ('k')
|
lib/requestBlocker.js » ('j')
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: lib/csp.js |
| =================================================================== |
| --- a/lib/csp.js |
| +++ b/lib/csp.js |
| @@ -12,49 +12,56 @@ |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>. |
| */ |
| "use strict"; |
| -const {defaultMatcher} = require("matcher"); |
| -const {BlockingFilter, RegExpFilter} = require("filterClasses"); |
| -const {getDecodedHostname} = require("url"); |
| -const {checkWhitelisted} = require("whitelisting"); |
| +// Versions of Chrome < 58 the webRequest API does not intercept WebSocket |
|
Sebastian Noack
2017/03/28 19:32:29
This seems grammatically wrong. This should rather
Jon Sonesen
2017/03/28 20:10:29
Done.
|
| +// connections see: https://crbug.com/129353 |
| +// |
| +// Hence we inject CSP headers, below, as a workaround. |
|
Sebastian Noack
2017/03/28 19:32:29
IMHO, this shouldn't be a new paragraph, as we eve
Jon Sonesen
2017/03/28 20:10:29
Done.
|
| +if (!("WEBSOCKET" in chrome.webRequest.ResourceType)) |
| +{ |
| + const {defaultMatcher} = require("matcher"); |
| + const {BlockingFilter, RegExpFilter} = require("filterClasses"); |
| + const {getDecodedHostname} = require("url"); |
| + const {checkWhitelisted} = require("whitelisting"); |
| -chrome.webRequest.onHeadersReceived.addListener(details => |
| -{ |
| - let hostname = getDecodedHostname(new URL(details.url)); |
| - let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET, |
| - hostname, false, null, true); |
| - if (match instanceof BlockingFilter && |
| - !checkWhitelisted(new ext.Page({id: details.tabId}), |
| - ext.getFrame(details.tabId, details.frameId))) |
| + chrome.webRequest.onHeadersReceived.addListener(details => |
| { |
| - details.responseHeaders.push({ |
| - name: "Content-Security-Policy", |
| - // We're blocking WebSockets here by adding a connect-src restriction |
| - // since the Chrome extension API does not allow us to intercept them. |
| - // https://bugs.chromium.org/p/chromium/issues/detail?id=129353 |
| - // |
| - // We also need the frame-src and object-src restrictions since CSPs are |
| - // not inherited from the parent for documents with data: and blob: URLs. |
| - // https://bugs.chromium.org/p/chromium/issues/detail?id=513860 |
| - // |
| - // We must use the deprecated child-src directive instead of worker-src |
| - // since that's not supported yet (as of Chrome 56.) |
| - // |
| - // "http:" also includes "https:" implictly. |
| - // https://www.chromestatus.com/feature/6653486812889088 |
| - value: "connect-src http:; child-src http:; frame-src http:; object-src http:" |
| - }); |
| - return {responseHeaders: details.responseHeaders}; |
| - } |
| -}, { |
| - urls: ["http://*/*", "https://*/*"], |
| - // We must also intercept script requests since otherwise Web Workers can |
| - // be abused to execute scripts for which our Content Security Policy |
| - // won't be injected. |
| - // https://github.com/gorhill/uBO-Extra/issues/19 |
| - types: ["main_frame", "sub_frame", "script"] |
| -}, ["blocking", "responseHeaders"]); |
| + let hostname = getDecodedHostname(new URL(details.url)); |
| + let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET, |
| + hostname, false, null, true); |
| + if (match instanceof BlockingFilter && |
| + !checkWhitelisted(new ext.Page({id: details.tabId}), |
| + ext.getFrame(details.tabId, details.frameId))) |
| + { |
| + details.responseHeaders.push({ |
| + name: "Content-Security-Policy", |
| + // We're blocking WebSockets here by adding a connect-src restriction |
| + // since the Chrome extension API does not allow us to intercept them. |
| + // https://bugs.chromium.org/p/chromium/issues/detail?id=129353 |
| + // |
| + // We also need the frame-src and object-src restrictions since CSPs are |
|
Sebastian Noack
2017/03/28 19:32:29
This line still seems too long.
Jon Sonesen
2017/03/28 20:10:29
Done.
|
| + // not inherited from the parent for documents with data and blob URLs. |
|
Sebastian Noack
2017/03/28 19:32:29
As I explained before, please don't remove the col
Jon Sonesen
2017/03/28 20:10:29
Done.
|
| + // https://bugs.chromium.org/p/chromium/issues/detail?id=513860 |
| + // |
| + // We must use the deprecated child-src directive instead of worker-src |
| + // since that's not supported yet (as of Chrome 56.) |
| + // |
| + // "http:" also includes "https:" implictly. |
| + // https://www.chromestatus.com/feature/6653486812889088 |
| + value: "connect-src http:; child-src http:; frame-src http:; object-src http:" |
| + }); |
| + return {responseHeaders: details.responseHeaders}; |
| + } |
| + }, { |
| + urls: ["http://*/*", "https://*/*"], |
| + // We must also intercept script requests since otherwise Web Workers can |
| + // be abused to execute scripts for which our Content Security Policy |
| + // won't be injected. |
| + // https://github.com/gorhill/uBO-Extra/issues/19 |
| + types: ["main_frame", "sub_frame", "script"] |
| + }, ["blocking", "responseHeaders"]); |
| +} |
« no previous file with comments
|
« chrome/ext/background.js ('k')
|
lib/requestBlocker.js » ('j')
|
no next file with comments »
