lib/csp.js - Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

Delta Between Two Patch Sets: lib/csp.js

Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters (Closed)

Left Patch Set: Get devtools logging working Created March 7, 2018, 3 p.m.

Right Patch Set: Rebased Created March 26, 2018, 6:22 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-present eyeo GmbH	3 * Copyright (C) 2006-present eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12 * GNU General Public License for more details.	12 * GNU General Public License for more details.

13 *	13 *

14 * You should have received a copy of the GNU General Public License	14 * You should have received a copy of the GNU General Public License

15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.	15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

16 */	16 */

17	17

18 "use strict";	18 "use strict";

19	19

20 const {defaultMatcher} = require("matcher");	20 const {defaultMatcher} = require("matcher");

21 const {BlockingFilter,	21 const {RegExpFilter, WhitelistFilter} = require("filterClasses");

22 RegExpFilter,	22 const {extractHostFromFrame, getDecodedHostname,

23 WhitelistFilter} = require("filterClasses");	23 isThirdParty, stringifyURL} = require("url");

24 const {getDecodedHostname, stringifyURL} = require("url");

25 const {checkWhitelisted} = require("whitelisting");	24 const {checkWhitelisted} = require("whitelisting");

26 const {FilterNotifier} = require("filterNotifier");	25 const {FilterNotifier} = require("filterNotifier");

27 const devtools = require("devtools");	26 const devtools = require("devtools");

28	27

29 const {typeMap} = RegExpFilter;	28 const {typeMap} = RegExpFilter;

30	29

31 browser.webRequest.onHeadersReceived.addListener(details =>	30 browser.webRequest.onHeadersReceived.addListener(details =>

32 {	31 {

33 // Chrome seems to sometimes give the response type of "xmlhttprequest"	32 let url = new URL(details.url);

34 // instead of "main_frame", but when it does the tabId is always -1 and	33 let urlString = stringifyURL(url);

35 // the URL matches the initiator's URL (once normalised).	34 let parentFrame = ext.getFrame(details.tabId, details.parentFrameId);

36 // https://bugs.chromium.org/p/chromium/issues/detail?id=805649	35 let hostname = extractHostFromFrame(parentFrame) \|\| getDecodedHostname(url);

37 if (details.type == "xmlhttprequest" &&	36 let thirdParty = isThirdParty(url, hostname);

38 (details.tabId > -1 \|\| details.initiator &&

39 details.url != new URL(details.initiator).toString()))

40 {

41 return;

42 }

43	37

44 // To avoid an extra matchesAny for the common case let's assume no	38 let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

45 // $genericblock filters apply when searching for a matching $csp filter,	39 thirdParty, null, false);

46 // we can double check later if necessary.

47 let specificOnly = false;

48

49 let url = new URL(details.url);

50 let hostname = getDecodedHostname(url);

51 let cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,

52 false, null, specificOnly);

53 let page = null;

54

55 if (cspMatch)	40 if (cspMatch)

56 {	41 {

57 if (details.tabId > -1)	42 let page = new ext.Page({id: details.tabId, url: details.url});

	43 let frame = ext.getFrame(details.tabId, details.frameId);

	44

	45 if (checkWhitelisted(page, frame))

	46 return;

	47

	48 // To avoid an extra matchesAny for the common case we assumed no

	49 // $genericblock filters applied when searching for a matching $csp filter.

	50 // We must now pay the price by first checking for a $genericblock filter

	51 // and if necessary that our $csp filter is specific.

	52 let specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK);

	53 if (specificOnly)

58 {	54 {

59 page = new ext.Page({id: details.tabId, url: details.url});	55 cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

60	56 thirdParty, null, specificOnly);

61 if (cspMatch instanceof WhitelistFilter)	57 if (!cspMatch)

62 {

63 if (devtools)

64 {

65 devtools.logWhitelistedDocument(page, details.url, typeMap.CSP,

66 hostname, cspMatch);
Sebastian Noack 2018/03/07 17:27:07 This is redundant, checkWhitelisted() is already c This is redundant, checkWhitelisted() is already calling logWhitelistedDocument(). Sebastian Noack 2018/03/13 03:58:13 What is about this comment? Show quoted text On 2018/03/07 17:27:07, Sebastian Noack wrote: > This is redundant, checkWhitelisted() is already calling > logWhitelistedDocument(). What is about this comment? kzar 2018/03/13 18:11:01 Done. Show quoted text On 2018/03/07 17:27:07, Sebastian Noack wrote: > This is redundant, checkWhitelisted() is already calling > logWhitelistedDocument(). Done.
67 }

68 return;	58 return;

69 }

70

71 let frame = ext.getFrame(details.tabId, details.frameId);

72
Sebastian Noack 2018/03/07 17:27:07 Nit: I think it reads slightly better without a bl Nit: I think it reads slightly better without a blank line here. Wouldn't insist though. kzar 2018/03/13 18:11:02 Done. Show quoted text On 2018/03/07 17:27:07, Sebastian Noack wrote: > Nit: I think it reads slightly better without a blank line here. Wouldn't insist > though. Done.
73 if (checkWhitelisted(page, frame, typeMap.DOCUMENT \| typeMap.CSP))

74 return;

75

76 // We pay the price now for skipping the specificOnly check earlier, we

77 // must check again for a CSP filter, this time making sure it's specific.

78 specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK);

79 if (specificOnly)

80 {

81 cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,

82 false, null, specificOnly);

83 if (!(cspMatch instanceof BlockingFilter))

84 return;

85 }

86

87 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);

88 }

89 // If we don't know the associated tab we'll have to check that if the URL

90 // is whitelisted manually. Things like $sitekey whitelisting and filter hit

91 // logging won't work, but it's the best we can do.

92 else if (cspMatch instanceof WhitelistFilter \|\|

93 defaultMatcher.whitelist.matchesAny(stringifyURL(url),

94 typeMap.DOCUMENT \| typeMap.CSP,

95 hostname))

96 {

97 return;

98 }	59 }

99	60

100 if (devtools)	61 devtools.logRequest(page, urlString, "CSP", hostname, thirdParty, null,
Sebastian Noack 2018/03/07 17:27:07 Is this check still necessary? IIRC, require('devt Is this check still necessary? IIRC, require('devtools') only returned null on Safari, where we don't include that module. Now, where we use WebPack it even gets automatically included as soon as any other module requires it. Sebastian Noack 2018/03/13 03:58:13 What is about this comment? Show quoted text On 2018/03/07 17:27:07, Sebastian Noack wrote: > Is this check still necessary? IIRC, require('devtools') only returned null on > Safari, where we don't include that module. Now, where we use WebPack it even > gets automatically included as soon as any other module requires it. What is about this comment? kzar 2018/03/13 18:11:01 Done. Show quoted text On 2018/03/07 17:27:07, Sebastian Noack wrote: > Is this check still necessary? IIRC, require('devtools') only returned null on > Safari, where we don't include that module. Now, where we use WebPack it even > gets automatically included as soon as any other module requires it. Done.
101 {	62 specificOnly, cspMatch);

102 devtools.logRequest(page, details.url, "CSP", hostname,	63 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);

103 false, null, specificOnly, cspMatch);	64

104 }	65 if (cspMatch instanceof WhitelistFilter)

	66 return;

105	67

106 details.responseHeaders.push({	68 details.responseHeaders.push({

107 name: "Content-Security-Policy",	69 name: "Content-Security-Policy",

108 value: cspMatch.csp	70 value: cspMatch.csp

109 });	71 });

110	72

111 return {responseHeaders: details.responseHeaders};	73 return {responseHeaders: details.responseHeaders};

112 }	74 }

113 }, {	75 }, {

114 urls: ["http:///", "https:///"],	76 urls: ["http:///", "https:///"],

115 types: ["main_frame", "sub_frame", "xmlhttprequest"]	77 types: ["main_frame", "sub_frame"]

116 }, ["blocking", "responseHeaders"]);	78 }, ["blocking", "responseHeaders"]);

LEFT	RIGHT