Unified Diff: lib/csp.js
Issue 29680696:
[$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters (Closed)
Patch Set: Addressed some final nits
Created March 20, 2018, 9:01 a.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« dependencies ('k')
|
lib/devtools.js » ('j')
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: lib/csp.js |
| diff --git a/lib/csp.js b/lib/csp.js |
| index 6e7656d1b552a99a74279fefe5fe037a13a89840..4a425e6b7ba5f196157122a440869d93e36100f1 100644 |
| --- a/lib/csp.js |
| +++ b/lib/csp.js |
| @@ -17,53 +17,62 @@ |
| "use strict"; |
| -// The webRequest API doesn't support WebSocket connection blocking in Microsoft |
| -// Edge and versions of Chrome before 58. Therefore for those we inject CSP |
| -// headers below as a workaround. See https://crbug.com/129353 and |
| -// https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10297376/ |
| -if (!browser.webRequest.ResourceType || |
| - !("WEBSOCKET" in browser.webRequest.ResourceType)) |
| +const {defaultMatcher} = require("matcher"); |
| +const {RegExpFilter, WhitelistFilter} = require("filterClasses"); |
| +const {extractHostFromFrame, getDecodedHostname, |
| + isThirdParty, stringifyURL} = require("url"); |
| +const {checkWhitelisted} = require("whitelisting"); |
| +const {FilterNotifier} = require("filterNotifier"); |
| +const devtools = require("devtools"); |
| + |
| +const {typeMap} = RegExpFilter; |
| + |
| +browser.webRequest.onHeadersReceived.addListener(details => |
| { |
| - const {defaultMatcher} = require("matcher"); |
| - const {BlockingFilter, RegExpFilter} = require("filterClasses"); |
| - const {getDecodedHostname} = require("url"); |
| - const {checkWhitelisted} = require("whitelisting"); |
| + let url = new URL(details.url); |
| + let urlString = stringifyURL(url); |
| + let parentFrame = ext.getFrame(details.tabId, details.parentFrameId); |
| + let hostname = extractHostFromFrame(parentFrame) || getDecodedHostname(url); |
| + let thirdParty = isThirdParty(url, hostname); |
| - browser.webRequest.onHeadersReceived.addListener(details => |
| + let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname, |
| + thirdParty, null, false); |
| + if (cspMatch) |
| { |
| - let hostname = getDecodedHostname(new URL(details.url)); |
| - let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET, |
| - hostname, false, null, true); |
| - if (match instanceof BlockingFilter && |
| - !checkWhitelisted(new ext.Page({id: details.tabId}), |
| - ext.getFrame(details.tabId, details.frameId))) |
| + let page = new ext.Page({id: details.tabId, url: details.url}); |
| + let frame = ext.getFrame(details.tabId, details.frameId); |
| + |
| + if (checkWhitelisted(page, frame)) |
| + return; |
| + |
| + // To avoid an extra matchesAny for the common case we assumed no |
| + // $genericblock filters applied when searching for a matching $csp filter. |
| + // We must now pay the price by first checking for a $genericblock filter |
| + // and if necessary that our $csp filter is specific. |
| + let specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK); |
| + if (specificOnly) |
| { |
| - details.responseHeaders.push({ |
| - name: "Content-Security-Policy", |
| - // We're blocking WebSockets here by adding a connect-src restriction |
| - // since the Chrome extension API does not allow us to intercept them. |
| - // https://bugs.chromium.org/p/chromium/issues/detail?id=129353 |
| - // |
| - // We also need the frame-src and object-src restrictions since CSPs |
| - // are not inherited from the parent for documents with data: and blob: |
| - // URLs, see https://crbug.com/513860. |
| - // |
| - // We must use the deprecated child-src directive instead of worker-src |
| - // since that's not supported yet (as of Chrome 56.) |
| - // |
| - // "http:" also includes "https:" implictly. |
| - // https://www.chromestatus.com/feature/6653486812889088 |
| - value: "connect-src http:; child-src http:; " + |
| - "frame-src http:; object-src http:" |
| - }); |
| - return {responseHeaders: details.responseHeaders}; |
| + cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname, |
| + thirdParty, null, specificOnly); |
| + if (!cspMatch) |
| + return; |
| } |
| - }, { |
| - urls: ["http://*/*", "https://*/*"], |
| - // We must also intercept script requests since otherwise Web Workers can |
| - // be abused to execute scripts for which our Content Security Policy |
| - // won't be injected. |
| - // https://github.com/gorhill/uBO-Extra/issues/19 |
| - types: ["main_frame", "sub_frame", "script"] |
| - }, ["blocking", "responseHeaders"]); |
| -} |
| + |
| + devtools.logRequest(page, urlString, "CSP", hostname, thirdParty, null, |
| + specificOnly, cspMatch); |
| + FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page); |
| + |
| + if (cspMatch instanceof WhitelistFilter) |
| + return; |
| + |
| + details.responseHeaders.push({ |
| + name: "Content-Security-Policy", |
| + value: cspMatch.csp |
| + }); |
| + |
| + return {responseHeaders: details.responseHeaders}; |
| + } |
| +}, { |
| + urls: ["http://*/*", "https://*/*"], |
| + types: ["main_frame", "sub_frame"] |
| +}, ["blocking", "responseHeaders"]); |
« no previous file with comments
|
« dependencies ('k')
|
lib/devtools.js » ('j')
|
no next file with comments »
