[$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

lib/csp.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-present eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 "use strict";
 
-// The webRequest API doesn't support WebSocket connection blocking in Microsoft
-// Edge and versions of Chrome before 58. Therefore for those we inject CSP
-// headers below as a workaround. See https://crbug.com/129353 and
-// https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10297376/
-if (!browser.webRequest.ResourceType ||
-    !("WEBSOCKET" in browser.webRequest.ResourceType))
+const {defaultMatcher} = require("matcher");
+const {BlockingFilter,
+       RegExpFilter,
+       WhitelistFilter} = require("filterClasses");
+const {getDecodedHostname, stringifyURL} = require("url");
+const {checkWhitelisted} = require("whitelisting");
+const {FilterNotifier} = require("filterNotifier");
+const devtools = require("devtools");
+
+const {typeMap} = RegExpFilter;
+
+browser.webRequest.onHeadersReceived.addListener(details =>
 {
-  const {defaultMatcher} = require("matcher");
-  const {BlockingFilter, RegExpFilter} = require("filterClasses");
-  const {getDecodedHostname} = require("url");
-  const {checkWhitelisted} = require("whitelisting");
+  // Chrome seems to sometimes give the response type of "xmlhttprequest"
+  // instead of "main_frame", but when it does the tabId is always -1 and
+  // the URL matches the initiator's URL (once normalised).
+  // https://bugs.chromium.org/p/chromium/issues/detail?id=805649
+  if (details.type == "xmlhttprequest" &&
+      (details.tabId > -1 || details.initiator &&
+       details.url != new URL(details.initiator).toString()))
+  {
+    return;
+  }
 
-  browser.webRequest.onHeadersReceived.addListener(details =>
+  // To avoid an extra matchesAny for the common case let's assume no
+  // $genericblock filters apply when searching for a matching $csp filter,
+  // we can double check later if necessary.
+  let specificOnly = false;
+
+  let url = new URL(details.url);
+  let hostname = getDecodedHostname(url);
+  let cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,
+                                           false, null, specificOnly);
+  let page = null;
+
+  if (cspMatch)
   {
-    let hostname = getDecodedHostname(new URL(details.url));
-    let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,
-                                          hostname, false, null, true);
-    if (match instanceof BlockingFilter &&
-        !checkWhitelisted(new ext.Page({id: details.tabId}),
-                          ext.getFrame(details.tabId, details.frameId)))
+    if (details.tabId > -1)
     {
-      details.responseHeaders.push({
-        name: "Content-Security-Policy",
-        // We're blocking WebSockets here by adding a connect-src restriction
-        // since the Chrome extension API does not allow us to intercept them.
-        // https://bugs.chromium.org/p/chromium/issues/detail?id=129353
-        //
-        // We also need the frame-src and object-src restrictions since CSPs
-        // are not inherited from the parent for documents with data: and blob:
-        // URLs, see https://crbug.com/513860.
-        //
-        // We must use the deprecated child-src directive instead of worker-src
-        // since that's not supported yet (as of Chrome 56.)
-        //
-        // "http:" also includes "https:" implictly.
-        // https://www.chromestatus.com/feature/6653486812889088
-        value: "connect-src http:; child-src http:; " +
-               "frame-src http:; object-src http:"
-      });
-      return {responseHeaders: details.responseHeaders};
+      page = new ext.Page({id: details.tabId, url: details.url});
+
+      if (cspMatch instanceof WhitelistFilter)
+      {
+        if (devtools)
+        {
+          devtools.logWhitelistedDocument(page, details.url, typeMap.CSP,
+                                          hostname, cspMatch);

[Sebastian Noack, 2018/03/07 17:27:07]

This is redundant, checkWhitelisted() is already calling
logWhitelistedDocument().

[Sebastian Noack, 2018/03/13 03:58:13]

What is about this comment?

[kzar, 2018/03/13 18:11:01]

Done.

+        }
+        return;
+      }
+
+      let frame = ext.getFrame(details.tabId, details.frameId);
+

[Sebastian Noack, 2018/03/07 17:27:07]

Nit: I think it reads slightly better without a blank line here. Wouldn't insist
though.

[kzar, 2018/03/13 18:11:02]

Done.

+      if (checkWhitelisted(page, frame, typeMap.DOCUMENT | typeMap.CSP))
+        return;
+
+      // We pay the price now for skipping the specificOnly check earlier, we
+      // must check again for a CSP filter, this time making sure it's specific.
+      specificOnly = !!checkWhitelisted(page, frame, typeMap.GENERICBLOCK);
+      if (specificOnly)
+      {
+        cspMatch = defaultMatcher.matchesAny(details.url, typeMap.CSP, hostname,
+                                             false, null, specificOnly);
+        if (!(cspMatch instanceof BlockingFilter))
+          return;
+      }
+
+      FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);
     }
-  }, {
-    urls: ["http://*/*", "https://*/*"],
-    // We must also intercept script requests since otherwise Web Workers can
-    // be abused to execute scripts for which our Content Security Policy
-    // won't be injected.
-    // https://github.com/gorhill/uBO-Extra/issues/19
-    types: ["main_frame", "sub_frame", "script"]
-  }, ["blocking", "responseHeaders"]);
-}
+    // If we don't know the associated tab we'll have to check that if the URL
+    // is whitelisted manually. Things like $sitekey whitelisting and filter hit
+    // logging won't work, but it's the best we can do.
+    else if (cspMatch instanceof WhitelistFilter ||
+             defaultMatcher.whitelist.matchesAny(stringifyURL(url),
+                                                 typeMap.DOCUMENT | typeMap.CSP,
+                                                 hostname))
+    {
+      return;
+    }
+
+    if (devtools)

[Sebastian Noack, 2018/03/07 17:27:07]

Is this check still necessary? IIRC, require('devtools') only returned null on
Safari, where we don't include that module. Now, where we use WebPack it even
gets automatically included as soon as any other module requires it.

[Sebastian Noack, 2018/03/13 03:58:13]

What is about this comment?

[kzar, 2018/03/13 18:11:01]

Done.

+    {
+      devtools.logRequest(page, details.url, "CSP", hostname,
+                          false, null, specificOnly, cspMatch);
+    }
+
+    details.responseHeaders.push({
+      name: "Content-Security-Policy",
+      value: cspMatch.csp
+    });
+
+    return {responseHeaders: details.responseHeaders};
+  }
+}, {
+  urls: ["http://*/*", "https://*/*"],
+  types: ["main_frame", "sub_frame", "xmlhttprequest"]
+}, ["blocking", "responseHeaders"]);