lib/csp.js - Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

Delta Between Two Patch Sets: lib/csp.js

Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters (Closed)

Left Patch Set: Make use of stringifyUrl and remove unused WhitelistFilter Created March 14, 2018, 10:45 a.m.

Right Patch Set: Rebased Created March 26, 2018, 6:22 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-present eyeo GmbH	3 * Copyright (C) 2006-present eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12 * GNU General Public License for more details.	12 * GNU General Public License for more details.

13 *	13 *

14 * You should have received a copy of the GNU General Public License	14 * You should have received a copy of the GNU General Public License

15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.	15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

16 */	16 */

17	17

18 "use strict";	18 "use strict";

19	19

20 const {defaultMatcher} = require("matcher");	20 const {defaultMatcher} = require("matcher");

21 const {BlockingFilter, RegExpFilter} = require("filterClasses");	21 const {RegExpFilter, WhitelistFilter} = require("filterClasses");

22 const {getDecodedHostname, stringifyURL} = require("url");	22 const {extractHostFromFrame, getDecodedHostname,

	23 isThirdParty, stringifyURL} = require("url");

23 const {checkWhitelisted} = require("whitelisting");	24 const {checkWhitelisted} = require("whitelisting");

24 const {FilterNotifier} = require("filterNotifier");	25 const {FilterNotifier} = require("filterNotifier");

25 const devtools = require("devtools");	26 const devtools = require("devtools");

26	27

27 const {typeMap} = RegExpFilter;	28 const {typeMap} = RegExpFilter;

28	29

29 browser.webRequest.onHeadersReceived.addListener(details =>	30 browser.webRequest.onHeadersReceived.addListener(details =>

30 {	31 {

31 let url = new URL(details.url);	32 let url = new URL(details.url);

32 let urlString = stringifyURL(url);	33 let urlString = stringifyURL(url);

33 let hostname = getDecodedHostname(url);	34 let parentFrame = ext.getFrame(details.tabId, details.parentFrameId);
Sebastian Noack 2018/03/14 20:19:42 This seems inconsistent with the semantics of requ This seems inconsistent with the semantics of request blocking, where the $domain option refers to the hostname of the parent document. kzar 2018/03/15 13:10:13 Well I suppose with request blocking we are genera Show quoted text On 2018/03/14 20:19:42, Sebastian Noack wrote: > This seems inconsistent with the semantics of request blocking, where the > $domain option refers to the hostname of the parent document. Well I suppose with request blocking we are generally blocking a request, instead of injecting something that will then block child requests (or similar). I'm not sure what else we can do here, do you have any suggestions? Sebastian Noack 2018/03/15 17:14:25 I don't see how the difference between blocking re Show quoted text On 2018/03/15 13:10:13, kzar wrote: > On 2018/03/14 20:19:42, Sebastian Noack wrote: > > This seems inconsistent with the semantics of request blocking, where the > > $domain option refers to the hostname of the parent document. > > Well I suppose with request blocking we are generally blocking a request, > instead of injecting something that will then block child requests (or similar). > I'm not sure what else we can do here, do you have any suggestions? I don't see how the difference between blocking requests vs injecting headers, calls for an inconsistency here. FWIW $popup filters have the same semantics. We have access to the parentFrameId, and can get the parent frame's URL, to make the behavior consistent here. So that \|\|foo.com$csp=...,domain=bar.com, only injects a CSP on foo.com if embedded in a frame on bar.com. kzar 2018/03/15 18:18:44 Done, look OK? Show quoted text On 2018/03/15 17:14:25, Sebastian Noack wrote: > On 2018/03/15 13:10:13, kzar wrote: > > On 2018/03/14 20:19:42, Sebastian Noack wrote: > > > This seems inconsistent with the semantics of request blocking, where the > > > $domain option refers to the hostname of the parent document. > > > > Well I suppose with request blocking we are generally blocking a request, > > instead of injecting something that will then block child requests (or > similar). > > I'm not sure what else we can do here, do you have any suggestions? > > I don't see how the difference between blocking requests vs injecting headers, > calls for an inconsistency here. FWIW $popup filters have the same semantics. > > We have access to the parentFrameId, and can get the parent frame's URL, to make > the behavior consistent here. So that \|\|foo.com$csp=...,domain=bar.com, only > injects a CSP on http://foo.com if embedded in a frame on http://bar.com. Done, look OK?
	35 let hostname = extractHostFromFrame(parentFrame) \|\| getDecodedHostname(url);

	36 let thirdParty = isThirdParty(url, hostname);

	37

34 let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,	38 let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

35 false, null, false);	39 thirdParty, null, false);

36 if (cspMatch)	40 if (cspMatch)

37 {	41 {

38 let page = new ext.Page({id: details.tabId, url: details.url});	42 let page = new ext.Page({id: details.tabId, url: details.url});

39 let frame = ext.getFrame(details.tabId, details.frameId);	43 let frame = ext.getFrame(details.tabId, details.frameId);

40 if (checkWhitelisted(page, frame, typeMap.DOCUMENT \| typeMap.CSP))	44

	45 if (checkWhitelisted(page, frame))

41 return;	46 return;

42	47

43 // To avoid an extra matchesAny for the common case we assumed no	48 // To avoid an extra matchesAny for the common case we assumed no

44 // $genericblock filters applied when searching for a matching $csp filter.	49 // $genericblock filters applied when searching for a matching $csp filter.

45 // We must now pay the price by first checking for a $genericblock filter	50 // We must now pay the price by first checking for a $genericblock filter

46 // and if necessary that our $csp filter is specific.	51 // and if necessary that our $csp filter is specific.

47 let specificOnly = checkWhitelisted(page, frame, typeMap.GENERICBLOCK);	52 let specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK);

48 if (specificOnly)	53 if (specificOnly)

49 {	54 {

50 cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,	55 cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

51 false, null, specificOnly);	56 thirdParty, null, specificOnly);

52 if (!(cspMatch instanceof BlockingFilter))	57 if (!cspMatch)

53 return;	58 return;

54 }	59 }

55	60

	61 devtools.logRequest(page, urlString, "CSP", hostname, thirdParty, null,

	62 specificOnly, cspMatch);

56 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);	63 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);

57 devtools.logRequest(page, urlString, "CSP", hostname, false, null,	64

58 specificOnly, cspMatch);	65 if (cspMatch instanceof WhitelistFilter)

	66 return;

59	67

60 details.responseHeaders.push({	68 details.responseHeaders.push({

61 name: "Content-Security-Policy",	69 name: "Content-Security-Policy",

62 value: cspMatch.csp	70 value: cspMatch.csp

63 });	71 });

64	72

65 return {responseHeaders: details.responseHeaders};	73 return {responseHeaders: details.responseHeaders};

66 }	74 }

67 }, {	75 }, {

68 urls: ["http:///", "https:///"],	76 urls: ["http:///", "https:///"],

69 types: ["main_frame", "sub_frame"]	77 types: ["main_frame", "sub_frame"]

70 }, ["blocking", "responseHeaders"]);	78 }, ["blocking", "responseHeaders"]);

LEFT	RIGHT