CanvasBlocker/lib/dataUrls.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
(function(){
	"use strict";
	
	var scope;
	if ((typeof exports) !== "undefined"){
		scope = exports;
	}
	else {
		window.scope.dataUrls = {};
		scope = window.scope.dataUrls;
	}
	
	const logging = require("./logging");
	const settings = require("./settings");
	let canMergeHeader = false;
	browser.runtime.getBrowserInfo().then(function(info){
		canMergeHeader = parseInt(info.version.replace(/\..+/, ""), 10) > 59;
	});
	function setHeader(headers, header){
		if (canMergeHeader){
			headers.push(header);
		}
		else {
			const headerName = header.name.toLowerCase();
			const presentHeader = headers.filter(function(h){
				return h.name.toLowerCase() === headerName;
			});
			if (presentHeader.length){
				presentHeader[0].value += ", " + header.value;
			}
			else {
				headers.push(header);
			}
		}
	}
	
	scope.init = function(){
		const cspMatch = "blob: filesystem: *";
		browser.webRequest.onHeadersReceived.addListener(
			function(details){
				const headers = details.responseHeaders;
				if (settings.blockDataURLs){
					logging.verbose("Adding CSP header to", details);
					setHeader(headers, {
						name: "Content-Security-Policy",
						value: `object-src ${cspMatch}; frame-src ${cspMatch}; worker-src ${cspMatch}; child-src ${cspMatch}` +
							"report-to https://canvasblocker.invalid/; report-uri https://canvasblocker.invalid/"
					});
				}
				return {
					responseHeaders: headers
				};
			},
			{
				urls: ["<all_urls>"],
				types: ["main_frame", "sub_frame", "object"]
			},
			["blocking", "responseHeaders"]
		);
	};

}());
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`
			`(function(){`
			`"use strict";`

			`var scope;`
			`if ((typeof exports) !== "undefined"){`
			`scope = exports;`
			`}`
			`else {`
			`window.scope.dataUrls = {};`
			`scope = window.scope.dataUrls;`
			`}`

			`const logging = require("./logging");`
			`const settings = require("./settings");`
Optimized CSP 2018-07-24 21:30:57 +02:00			`let canMergeHeader = false;`
			`browser.runtime.getBrowserInfo().then(function(info){`
			`canMergeHeader = parseInt(info.version.replace(/\..+/, ""), 10) > 59;`
			`});`
			`function setHeader(headers, header){`
			`if (canMergeHeader){`
			`headers.push(header);`
			`}`
			`else {`
			`const headerName = header.name.toLowerCase();`
			`const presentHeader = headers.filter(function(h){`
			`return h.name.toLowerCase() === headerName;`
			`});`
			`if (presentHeader.length){`
			`presentHeader[0].value += ", " + header.value;`
			`}`
			`else {`
			`headers.push(header);`
			`}`
			`}`
			`}`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00
			`scope.init = function(){`
Allow blob and filesystem schemes They are protected and do not need to be blocked (like data-URLs). Fixes #212 and fixes #213. 2018-07-21 13:25:15 +02:00			`const cspMatch = "blob: filesystem: *";`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`browser.webRequest.onHeadersReceived.addListener(`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`function(details){`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`const headers = details.responseHeaders;`
			`if (settings.blockDataURLs){`
			`logging.verbose("Adding CSP header to", details);`
Optimized CSP 2018-07-24 21:30:57 +02:00			`setHeader(headers, {`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`name: "Content-Security-Policy",`
Optimized CSP 2018-07-24 21:30:57 +02:00			value: `object-src ${cspMatch}; frame-src ${cspMatch}; worker-src ${cspMatch}; child-src ${cspMatch}` +
			`"report-to https://canvasblocker.invalid/; report-uri https://canvasblocker.invalid/"`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`});`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`}`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`return {`
			`responseHeaders: headers`
			`};`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`},`
			`{`
Inject CSP only in the relevant requests. Prevents detection of CB. 2018-07-21 19:34:24 +02:00			`urls: ["<all_urls>"],`
			`types: ["main_frame", "sub_frame", "object"]`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`},`
Block data URLs instead of their requests Fixes #211 2018-07-21 00:32:15 +02:00			`["blocking", "responseHeaders"]`
"Protect" data URL pages by blocking outgoing requests Fixes #208 2018-07-16 00:14:44 +02:00			`);`
			`};`

			`}());`