[$csp2 adblockpluscore] Issue 6329 - Add the CSP filter type

lib/filterClasses.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-present eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 80 matching lines @@
 /**
  * Regular expression that RegExp filters specified as RegExps should match
  * @type {RegExp}
  */
 Filter.regexpRegExp = /^(@@)?\/.*\/(?:\$~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^,\s]+)?)*)?$/;
 /**
  * Regular expression that options on a RegExp filter should match
  * @type {RegExp}
  */
 Filter.optionsRegExp = /\$(~?[\w-]+(?:=[^,]+)?(?:,~?[\w-]+(?:=[^,]+)?)*)$/;
-
-/**
- * Forbidden Content Security Policy directives
- * @type {Set<string>}
- */
-Filter.cspDirectiveBlacklist = new Set([
-  "base-uri", "referrer", "report-to", "report-uri", "upgrade-insecure-requests"
-]);

[Sebastian Noack, 2018/03/21 16:23:13]

I don't get why we create this Set here, just to turn it into an array, to turn
it into a string to insert into regular expression, below.

IMO, better: Just use an array here, reducing the boilerplate.

IMO, even better: Just use a regular expression literal below. Note that ESLint
won't complain about long lines due to regular expression literals.

[kzar, 2018/03/21 16:58:11]

I created the Set since I figured being about to do
`cspBlacklist.has(directive)` might be useful sometime, but you're right it's
better to keep things simple. Done.

 /**
  * Regular expression that matches an invalid Content Security Policy
  * @type {RegExp}
  */
-Filter.invalidCSPRegExp = new RegExp(
-  "(;|^) ?(" + Array.from(Filter.cspDirectiveBlacklist).join("|") + ")\\b"
-);
+Filter.invalidCSPRegExp = /(;|^) ?(base-uri|referrer|report-to|report-uri|upgrade-insecure-requests)\b/i;
 
 /**
  * Creates a filter of correct type from its text representation - does the
  * basic parsing and calls the right constructor then.
  *
  * @param {string} text   as in Filter()
  * @return {Filter}
  */
 Filter.fromText = function(text)
 {
@@ skipping 671 matching lines @@
         option = option.substr(0, separatorIndex);
       }
       option = option.replace(/-/, "_").toUpperCase();
       if (option in RegExpFilter.typeMap)
       {
         if (contentType == null)
           contentType = 0;
         contentType |= RegExpFilter.typeMap[option];
 
         if (option == "CSP" && typeof value != "undefined")
-        {
-          if (csp)
-            csp.push(value);

[Sebastian Noack, 2018/03/21 16:23:13]

Does that mean that if multiple $csp options are given in the same filter that
they are merged? Any reason for these semantics (assuming my assumption is
correct)? This seems inconsistent with the $domain option (or not?). If you want
to insert multiple policies, you can just separate them by semicolon within the
same option value (or not?).

[kzar, 2018/03/21 16:58:11]

Right.
Well I listed the inability of specifying multiple $csp values for a filter and
the inability to have two $csp filters both apply at the same time in the issue
as known limitations. Manish asked me why we have those limitations, and while
the latter was kind of a pain the former seemed easy enough and so I did it. But
your comment here made me reconsider, I've removed this logic again now.

-          else
-            csp = [value];
-        }
+          csp = value;
       }
       else if (option[0] == "~" && option.substr(1) in RegExpFilter.typeMap)
       {
         if (contentType == null)
           ({contentType} = RegExpFilter.prototype);
         contentType &= ~RegExpFilter.typeMap[option.substr(1)];
       }
       else if (option == "MATCH_CASE")
         matchCase = true;
       else if (option == "~MATCH_CASE")
@@ skipping 12 matching lines @@
         sitekeys = value.toUpperCase();
       else
         return new InvalidFilter(origText, "filter_unknown_option");
     }
   }
 
   try
   {
     if (blocking)
     {
-      if (csp)
-      {
-        csp = csp.join("; ").toLowerCase();

[Sebastian Noack, 2018/03/21 16:23:13]

If we convert the CSP to lower case, shouldn't this rather happen during
normalization? But why do we convert it to lower case in the first place? Is it
guaranteed that all parts of a CSP are case-insensitive?

[kzar, 2018/03/21 16:58:11]

Hmm good point, initially I converted the value to lower case here since we
previously converted it to upper case which broke everything. But since I
adjusted that logic we could instead leave the case alone I suppose. Done.

[kzar, 2018/03/21 16:58:11]

Yes and no.

While I see your logic of course we currently do not normalise the case of the
filter text at normalisation time at all. So if I was to normalise the case of
the $csp option there I would argue we should otherwise normalise the case of
filters there too.

(Yes, it's true that Filter.normalize does not fully normalise filters, that was
part of my argument[1] for not worrying as much about how we normalise
whitespace.)

[1] - https://codereview.adblockplus.org/29680684/#msg7

-
-        if (Filter.invalidCSPRegExp.test(csp))
-          return new InvalidFilter(origText, "filter_invalid_csp");
-      }
+      if (csp && Filter.invalidCSPRegExp.test(csp))
+        return new InvalidFilter(origText, "filter_invalid_csp");
 
       return new BlockingFilter(origText, text, contentType, matchCase, domains,
                                 thirdParty, sitekeys, collapse, csp);
     }
     return new WhitelistFilter(origText, text, contentType, matchCase, domains,
                                thirdParty, sitekeys);
   }
   catch (e)
   {
     return new InvalidFilter(origText, "filter_invalid_regexp");
@@ skipping 238 matching lines @@
  */
 function ElemHideEmulationFilter(text, domains, selector)
 {
   ElemHideBase.call(this, text, domains, selector);
 }
 exports.ElemHideEmulationFilter = ElemHideEmulationFilter;
 
 ElemHideEmulationFilter.prototype = extend(ElemHideBase, {
   type: "elemhideemulation"
 });