Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[TabGuard] Remove Set-Cookie headers from anonymized requests to prevent unreversible authorization loss.

This commit is contained in:
hackademix 2023-06-09 15:31:30 +02:00
parent 728f9ee9c0
commit abf2bac30e
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/bg/RequestGuard.js
View File

@ -633,7 +633,6 @@ var RequestGuard = (() => {
normalizeRequest(request); normalizeRequest(request);
let result = ALLOW; let result = ALLOW;
let promises = []; let promises = [];
let headersModified = false;
pending.headersProcessed = true; pending.headersProcessed = true;
let {url, documentUrl, tabId, responseHeaders, type} = request; let {url, documentUrl, tabId, responseHeaders, type} = request;
@ -658,6 +657,7 @@ var RequestGuard = (() => {
capabilities && !capabilities.has("script")); capabilities && !capabilities.has("script"));
} }
let header = csp.patchHeaders(responseHeaders, capabilities); let header = csp.patchHeaders(responseHeaders, capabilities);
let headersModified = TabGuard.onReceive(request);
/* /*
// Uncomment me to disable networking-level CSP for debugging purposes // Uncomment me to disable networking-level CSP for debugging purposes
header = null; header = null;

16
src/bg/TabGuard.js
View File

@ -55,6 +55,7 @@ var TabGuard = (() => {
return { return {
forget, forget,
// must be called from a webRequest.onBeforeSendHeaders blocking listener
onSend(request) { onSend(request) {
const mode = ns.sync.TabGuardMode; const mode = ns.sync.TabGuardMode;
if (mode === "off" || !request.incognito && mode!== "global") return; if (mode === "off" || !request.incognito && mode!== "global") return;
@ -200,6 +201,21 @@ var TabGuard = (() => {
return mustFilter ? filterAuth() : null; return mustFilter ? filterAuth() : null;
})(); })();
}, },
// must be called from a webRequest.onHeadersReceived blocking listener
onReceive(request) {
if (!anonymizedRequests.has(request.id)) return false;
let headersModified = false;
let {responseHeaders} = request;
for (let j = responseHeaders.length; j-- > 0;) {
let h = responseHeaders[j];
if (h.name.toLowerCase() === "set-cookie") {
responseHeaders.splice(j, 1);
headersModified = true;
}
}
return headersModified;
},
// must be called after response headers have been processed or the load has been otherwise terminated
onCleanup(request) { onCleanup(request) {
let {requestId, tabId} = request; let {requestId, tabId} = request;
if (scheduledCuts.has(requestId)) { if (scheduledCuts.has(requestId)) {