From 9ba9c4842298a26b5b842394501619491f382092 Mon Sep 17 00:00:00 2001
From: kkapsner <github@mail.kkapsner.de>
Date: Sat, 21 Jul 2018 00:32:15 +0200
Subject: [PATCH] Block data URLs instead of their requests

Fixes #211
---
 _locales/de/messages.json  |  8 ++++----
 _locales/en/messages.json  |  8 ++++----
 lib/dataUrls.js            | 33 ++++++++++++---------------------
 lib/settingDefinitions.js  |  2 +-
 options/settingsDisplay.js |  2 +-
 releaseNotes.txt           |  5 +++--
 6 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/_locales/de/messages.json b/_locales/de/messages.json
index 43384d1..e4c9479 100644
--- a/_locales/de/messages.json
+++ b/_locales/de/messages.json
@@ -725,12 +725,12 @@
 		"description": ""
 	},
 	
-	"blockRequestsFromDataURL_title": {
-		"message": "Anfragen von Data-URL Seiten blockieren",
+	"blockDataURLs_title": {
+		"message": "Data-URL Seiten blockieren",
 		"description": ""
 	},
-	"blockRequestsFromDataURL_description": {
-		"message": "Data-URL Seiten können nicht gegen Fingerprinting geschützt werden (siehe https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Indem Anfragen von Data-URL Seiten blockiert werden kann verhindert werden, dass der echte Fingerabdruck zu irgendeinem Server gelangt.",
+	"blockDataURLs_description": {
+		"message": "Data-URL Seiten können nicht gegen Fingerprinting geschützt werden (siehe https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Indem Data-URL Seiten blockiert werden kann verhindert werden, dass der echte Fingerabdruck zu irgendeinem Server gelangt.",
 		"description": ""
 	},
 	
diff --git a/_locales/en/messages.json b/_locales/en/messages.json
index f6237af..f4f6d4a 100644
--- a/_locales/en/messages.json
+++ b/_locales/en/messages.json
@@ -725,12 +725,12 @@
 		"description": ""
 	},
 	
-	"blockRequestsFromDataURL_title": {
-		"message": "Block requests from data URL pages",
+	"blockDataURLs_title": {
+		"message": "Block data URL pages",
 		"description": ""
 	},
-	"blockRequestsFromDataURL_description": {
-		"message": "Data URL pages cannot be protected against fingerprinting (see https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Blocking requests from them prevents the real fingerprint to reach any server.",
+	"blockDataURLs_description": {
+		"message": "Data URL pages cannot be protected against fingerprinting (see https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Blocking them prevents the real fingerprint to reach any server.",
 		"description": ""
 	},
 	
diff --git a/lib/dataUrls.js b/lib/dataUrls.js
index b13e12f..c86e137 100644
--- a/lib/dataUrls.js
+++ b/lib/dataUrls.js
@@ -16,34 +16,25 @@
 	const logging = require("./logging");
 	const settings = require("./settings");
 	
-
-	const dataUrlFrames = new Set();
 	scope.init = function(){
-		browser.webRequest.onBeforeRequest.addListener(
+		browser.webRequest.onHeadersReceived.addListener(
 			function(details){
-				if (
-					details.url.startsWith("data:text")
-				){
-					dataUrlFrames.add(details.frameId);
-					logging.message("Detected data URL", details);
-				}
-				else if (
-					settings.blockRequestsFromDataURL &&
-					dataUrlFrames.has(details.frameId)
-				){
-					logging.warning("Blocking request from data-URL frame.", details);
-					if (
-						settings.get("showNotifications")
-					){
-						browser.pageAction.show(details.tabId);
-					}
-					return {cancel: true};
+				const headers = details.responseHeaders;
+				if (settings.blockDataURLs){
+					logging.verbose("Adding CSP header to", details);
+					headers.push({
+						name: "Content-Security-Policy",
+						value: "object-src *; child-src *"
+					});
 				}
+				return {
+					responseHeaders: headers
+				};
 			},
 			{
 				urls: ["<all_urls>"]
 			},
-			["blocking"]
+			["blocking", "responseHeaders"]
 		);
 	};
 
diff --git a/lib/settingDefinitions.js b/lib/settingDefinitions.js
index 3987d53..5b690c2 100644
--- a/lib/settingDefinitions.js
+++ b/lib/settingDefinitions.js
@@ -206,7 +206,7 @@
 			}
 		},
 		{
-			name: "blockRequestsFromDataURL",
+			name: "blockDataURLs",
 			defaultValue: true
 		},
 		{
diff --git a/options/settingsDisplay.js b/options/settingsDisplay.js
index 90bf53c..5a8ddff 100644
--- a/options/settingsDisplay.js
+++ b/options/settingsDisplay.js
@@ -381,7 +381,7 @@
 		},
 		"misc",
 		{
-			"name": "blockRequestsFromDataURL",
+			"name": "blockDataURLs",
 			"displayDependencies": {
 				"displayAdvancedSettings": [true]
 			}
diff --git a/releaseNotes.txt b/releaseNotes.txt
index 0963347..0740e3d 100644
--- a/releaseNotes.txt
+++ b/releaseNotes.txt
@@ -1,15 +1,16 @@
 Version 0.5.1:
 	changes:
-		- 
+		- instead of blocking requests from data URLs they are blocked themselfes
 	
 	new features:
 		- new setting: session white list that is cleared on addon load (= browser start)
 	
 	fixes:
 		- Changes made in the page action were not saved in all Firefox versions
+		- Blocking requests data URLs blocked too much
 	
 	known issues:
-		- if a data URL request is blocked the page action button appears but shows no content
+		- if a data URL is blocked the page action button does not appear
 
 Version 0.5.0.1b:
 	known issues: