lib/csp.js - Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

Side by Side Diff: lib/csp.js

Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters (Closed)

Patch Set: Use extractHostFromFrame and attempt to match $csp exceptions non-recursively Created March 16, 2018, 12:43 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-present eyeo GmbH	3 * Copyright (C) 2006-present eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12 * GNU General Public License for more details.	12 * GNU General Public License for more details.

13 *	13 *

14 * You should have received a copy of the GNU General Public License	14 * You should have received a copy of the GNU General Public License

15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.	15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

16 */	16 */

17	17

18 "use strict";	18 "use strict";

19	19

20 // The webRequest API doesn't support WebSocket connection blocking in Microsoft	20 const {defaultMatcher} = require("matcher");

21 // Edge and versions of Chrome before 58. Therefore for those we inject CSP	21 const {BlockingFilter, RegExpFilter} = require("filterClasses");

22 // headers below as a workaround. See https://crbug.com/129353 and	22 const {extractHostFromFrame, getDecodedHostname,

23 // https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10297376 /	23 isThirdParty, stringifyURL} = require("url");

24 if (!browser.webRequest.ResourceType \|\|	24 const {checkWhitelisted} = require("whitelisting");

25 !("WEBSOCKET" in browser.webRequest.ResourceType))	25 const {FilterNotifier} = require("filterNotifier");

	26 const devtools = require("devtools");

	27

	28 const {typeMap} = RegExpFilter;

	29

	30 browser.webRequest.onHeadersReceived.addListener(details =>

26 {	31 {

27 const {defaultMatcher} = require("matcher");	32 let url = new URL(details.url);

28 const {BlockingFilter, RegExpFilter} = require("filterClasses");	33 let urlString = stringifyURL(url);

29 const {getDecodedHostname} = require("url");

30 const {checkWhitelisted} = require("whitelisting");

31	34

32 browser.webRequest.onHeadersReceived.addListener(details =>	35 let parentFrame = details.parentFrameId != -1 &&

	36 ext.getFrame(details.tabId, details.parentFrameId);

	37 let hostname = extractHostFromFrame(parentFrame);

	38 let thirdParty = false;

	39 if (hostname)

	40 thirdParty = isThirdParty(url, hostname);

	41 else

	42 hostname = getDecodedHostname(url);
	Sebastian Noack 2018/03/16 23:52:38 Is this micro-optimization worth it? Otherwise, th Is this micro-optimization worth it? Otherwise, this code could be simplified: let hostname = extractHostFromFrame(parentFrame) \|\| getDecodedHostname(url); let thirdParty = isThirdParty(url, hostname); kzar 2018/03/19 14:41:30 Done. Show quoted text On 2018/03/16 23:52:38, Sebastian Noack wrote: > Is this micro-optimization worth it? Otherwise, this code could be simplified: > > let hostname = extractHostFromFrame(parentFrame) \|\| getDecodedHostname(url); > let thirdParty = isThirdParty(url, hostname); Done.
	43

	44 let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

	45 thirdParty, null, false);

	46 if (cspMatch)

33 {	47 {

34 let hostname = getDecodedHostname(new URL(details.url));	48 let page = new ext.Page({id: details.tabId, url: details.url});

35 let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,	49 let frame = ext.getFrame(details.tabId, details.frameId);

36 hostname, false, null, true);	50

37 if (match instanceof BlockingFilter &&	51 // To avoid an extra matchesAny for the common case we assumed no

38 !checkWhitelisted(new ext.Page({id: details.tabId}),	52 // $genericblock filters applied when searching for a matching $csp filter.

39 ext.getFrame(details.tabId, details.frameId)))	53 // We must now pay the price by first checking for a $genericblock filter

	54 // and if necessary that our $csp filter is specific.

	55 let specificOnly = checkWhitelisted(page, frame, typeMap.GENERICBLOCK);

	56 if (specificOnly)

40 {	57 {

41 details.responseHeaders.push({	58 cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

42 name: "Content-Security-Policy",	59 thirdParty, null, specificOnly);

43 // We're blocking WebSockets here by adding a connect-src restriction	60 if (!cspMatch)

44 // since the Chrome extension API does not allow us to intercept them.	61 return;

45 // https://bugs.chromium.org/p/chromium/issues/detail?id=129353

46 //

47 // We also need the frame-src and object-src restrictions since CSPs

48 // are not inherited from the parent for documents with data: and blob:

49 // URLs, see https://crbug.com/513860.

50 //

51 // We must use the deprecated child-src directive instead of worker-src

52 // since that's not supported yet (as of Chrome 56.)

53 //

54 // "http:" also includes "https:" implictly.

55 // https://www.chromestatus.com/feature/6653486812889088

56 value: "connect-src http:; child-src http:; " +

57 "frame-src http:; object-src http:"

58 });

59 return {responseHeaders: details.responseHeaders};

60 }	62 }

61 }, {	63

62 urls: ["http:///", "https:///"],	64 devtools.logRequest(page, urlString, "CSP", hostname, thirdParty, null,

63 // We must also intercept script requests since otherwise Web Workers can	65 specificOnly, cspMatch);

64 // be abused to execute scripts for which our Content Security Policy	66

65 // won't be injected.	67 if (checkWhitelisted(page, frame))
	Sebastian Noack 2018/03/16 23:52:39 Why not doing this check earlier? Why not doing this check earlier? kzar 2018/03/19 14:41:30 Done. Show quoted text On 2018/03/16 23:52:39, Sebastian Noack wrote: > Why not doing this check earlier? Done.
66 // https://github.com/gorhill/uBO-Extra/issues/19	68 return;

67 types: ["main_frame", "sub_frame", "script"]	69

68 }, ["blocking", "responseHeaders"]);	70 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);

69 }	71

	72 details.responseHeaders.push({
	Sebastian Noack 2018/03/16 23:52:38 It seems this code path is reached if cspMatch is It seems this code path is reached if cspMatch is a whitelisting filter. kzar 2018/03/19 14:41:30 Done. Show quoted text On 2018/03/16 23:52:38, Sebastian Noack wrote: > It seems this code path is reached if cspMatch is a whitelisting filter. Done.
	73 name: "Content-Security-Policy",

	74 value: cspMatch.csp

	75 });

	76

	77 return {responseHeaders: details.responseHeaders};

	78 }

	79 }, {

	80 urls: ["http:///", "https:///"],

	81 types: ["main_frame", "sub_frame"]

	82 }, ["blocking", "responseHeaders"]);

OLD	NEW

« no previous file with comments | « dependencies ('k') | lib/devtools.js » ('j') | lib/requestBlocker.js » ('J')