More robust policy fetching.

This commit is contained in:
hackademix 2022-02-13 00:16:24 +01:00
parent b6383d248d
commit b27771aef0
3 changed files with 16 additions and 13 deletions

View File

@ -668,6 +668,7 @@ var RequestGuard = (() => {
ns.domPolicy = domPolicy;
if (ns.setup) {
if (ns.syncSetup) ns.syncSetup(domPolicy);
else ns.setup(domPolicy);
} ;
} else {
window.ns = {domPolicy}

View File

@ -75,10 +75,11 @@
if (this.syncFetchPolicy) {
// extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers
this.syncFetchPolicy();
} else {
this.pendingSyncFetchPolicy = true;
return;
}
this.pendingSyncFetchPolicy = true;
if (!sync) {
queueMicrotask(() => this.fetchPolicy(true));
return;

View File

@ -22,6 +22,9 @@
(window.ns || (window.ns = {})).syncFetchPolicy = function() {
ns.pendingSyncFetchPolicy = false;
ns.syncFetchPolicy = () => {};
let url = document.URL;
// Here we've got no CSP header yet (file: or ftp: URL), we need one
@ -32,18 +35,17 @@
if (window.wrappedJSObject) {
if (top === window) {
let persistentPolicy = null;
ns.syncSetup = policy => {
if (!ns.setup(policy)) return;
if (top === window && window.wrappedJSObject) {
let persistentPolicy = JSON.stringify(policy);
if (persistentPolicy) return;
ns.setup(policy);
persistentPolicy = JSON.stringify(policy);
Object.freeze(persistentPolicy);
try {
Object.defineProperty(window.wrappedJSObject, "_noScriptPolicy", {value: cloneInto(persistentPolicy, window)});
} catch(e) {
error(e);
}
}
ns.syncSetup = () => {};
};
} else try {
if (top.wrappedJSObject._noScriptPolicy) {
@ -239,6 +241,5 @@
};
if (ns.pendingSyncFetchPolicy) {
ns.pendingSyncFetchPolicy = false;
ns.syncFetchPolicy();
}