lib/csp.js - Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters

Side by Side Diff: lib/csp.js

Issue 29680696: [$csp4 adblockpluschrome] Issue 5241 - Add support for Content Security Policy filters (Closed)

Patch Set: Addressed Sebastian's feedback Created March 19, 2018, 2:40 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-present eyeo GmbH	3 * Copyright (C) 2006-present eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12 * GNU General Public License for more details.	12 * GNU General Public License for more details.

13 *	13 *

14 * You should have received a copy of the GNU General Public License	14 * You should have received a copy of the GNU General Public License

15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.	15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

16 */	16 */

17	17

18 "use strict";	18 "use strict";

19	19

20 // The webRequest API doesn't support WebSocket connection blocking in Microsoft	20 const {defaultMatcher} = require("matcher");

21 // Edge and versions of Chrome before 58. Therefore for those we inject CSP	21 const {RegExpFilter, WhitelistFilter} = require("filterClasses");

22 // headers below as a workaround. See https://crbug.com/129353 and	22 const {extractHostFromFrame, getDecodedHostname,

23 // https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10297376 /	23 isThirdParty, stringifyURL} = require("url");

24 if (!browser.webRequest.ResourceType \|\|	24 const {checkWhitelisted} = require("whitelisting");

25 !("WEBSOCKET" in browser.webRequest.ResourceType))	25 const {FilterNotifier} = require("filterNotifier");

	26 const devtools = require("devtools");

	27

	28 const {typeMap} = RegExpFilter;

	29

	30 browser.webRequest.onHeadersReceived.addListener(details =>

26 {	31 {

27 const {defaultMatcher} = require("matcher");	32 let url = new URL(details.url);

28 const {BlockingFilter, RegExpFilter} = require("filterClasses");	33 let urlString = stringifyURL(url);

29 const {getDecodedHostname} = require("url");	34 let parentFrame = details.parentFrameId != -1 &&
	Sebastian Noack 2018/03/19 22:25:12 Nit: ext.getFrame(details.tabId, -1) just returns Nit: ext.getFrame(details.tabId, -1) just returns undefined, rendering this check redundant. kzar 2018/03/20 09:02:31 Done. Show quoted text On 2018/03/19 22:25:12, Sebastian Noack wrote: > Nit: ext.getFrame(details.tabId, -1) just returns undefined, rendering this > check redundant. Done.
30 const {checkWhitelisted} = require("whitelisting");	35 ext.getFrame(details.tabId, details.parentFrameId);

	36 let hostname = extractHostFromFrame(parentFrame) \|\| getDecodedHostname(url);

	37 let thirdParty = isThirdParty(url, hostname);

31	38

32 browser.webRequest.onHeadersReceived.addListener(details =>	39 let cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

	40 thirdParty, null, false);

	41 if (cspMatch)

33 {	42 {

34 let hostname = getDecodedHostname(new URL(details.url));	43 let page = new ext.Page({id: details.tabId, url: details.url});

35 let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,	44 let frame = ext.getFrame(details.tabId, details.frameId);

36 hostname, false, null, true);	45

37 if (match instanceof BlockingFilter &&	46 if (checkWhitelisted(page, frame))

38 !checkWhitelisted(new ext.Page({id: details.tabId}),	47 return;

39 ext.getFrame(details.tabId, details.frameId)))	48

	49 // To avoid an extra matchesAny for the common case we assumed no

	50 // $genericblock filters applied when searching for a matching $csp filter.

	51 // We must now pay the price by first checking for a $genericblock filter

	52 // and if necessary that our $csp filter is specific.

	53 let specificOnly = checkWhitelisted(page, frame, typeMap.GENERICBLOCK);
	Sebastian Noack 2018/03/19 22:25:12 checkWhitelisted() returns a filter object (or nul checkWhitelisted() returns a filter object (or null). Both, in lib/requestBlocker.js and lib/popupBlocker.js, we turn it into a boolean (using !!), before passing the value to matchesAny(). kzar 2018/03/20 09:02:31 Done. Show quoted text On 2018/03/19 22:25:12, Sebastian Noack wrote: > checkWhitelisted() returns a filter object (or null). > Both, in lib/requestBlocker.js and lib/popupBlocker.js, > we turn it into a boolean (using !!), before passing the value to matchesAny(). Done.
	54 if (specificOnly)

40 {	55 {

41 details.responseHeaders.push({	56 cspMatch = defaultMatcher.matchesAny(urlString, typeMap.CSP, hostname,

42 name: "Content-Security-Policy",	57 thirdParty, null, specificOnly);

43 // We're blocking WebSockets here by adding a connect-src restriction	58 if (!cspMatch)

44 // since the Chrome extension API does not allow us to intercept them.	59 return;

45 // https://bugs.chromium.org/p/chromium/issues/detail?id=129353

46 //

47 // We also need the frame-src and object-src restrictions since CSPs

48 // are not inherited from the parent for documents with data: and blob:

49 // URLs, see https://crbug.com/513860.

50 //

51 // We must use the deprecated child-src directive instead of worker-src

52 // since that's not supported yet (as of Chrome 56.)

53 //

54 // "http:" also includes "https:" implictly.

55 // https://www.chromestatus.com/feature/6653486812889088

56 value: "connect-src http:; child-src http:; " +

57 "frame-src http:; object-src http:"

58 });

59 return {responseHeaders: details.responseHeaders};

60 }	60 }

61 }, {	61

62 urls: ["http:///", "https:///"],	62 devtools.logRequest(page, urlString, "CSP", hostname, thirdParty, null,

63 // We must also intercept script requests since otherwise Web Workers can	63 specificOnly, cspMatch);

64 // be abused to execute scripts for which our Content Security Policy	64

65 // won't be injected.	65 if (cspMatch instanceof WhitelistFilter)

66 // https://github.com/gorhill/uBO-Extra/issues/19	66 return;

67 types: ["main_frame", "sub_frame", "script"]	67

68 }, ["blocking", "responseHeaders"]);	68 FilterNotifier.emit("filter.hitCount", cspMatch, 0, 0, page);
	Sebastian Noack 2018/03/19 22:25:12 This seems inconsistent. For requests, we emit fil This seems inconsistent. For requests, we emit filter.hitCount also if a whitelisting filter matched. For reference, it seems that for popups we don't emit filter.hitCount at all, but IMO this is a bug. kzar 2018/03/20 09:02:31 Done. Show quoted text On 2018/03/19 22:25:12, Sebastian Noack wrote: > This seems inconsistent. For requests, we emit filter.hitCount also if a > whitelisting filter matched. For reference, it seems that for popups we don't > emit filter.hitCount at all, but IMO this is a bug. Done.
69 }	69 details.responseHeaders.push({

	70 name: "Content-Security-Policy",

	71 value: cspMatch.csp

	72 });

	73

	74 return {responseHeaders: details.responseHeaders};

	75 }

	76 }, {

	77 urls: ["http:///", "https:///"],

	78 types: ["main_frame", "sub_frame"]

	79 }, ["blocking", "responseHeaders"]);

OLD	NEW

« no previous file with comments | « dependencies ('k') | lib/devtools.js » ('j') | no next file with comments »