From a742f09dd4ba37d748c962bed171ddd84bf046ea Mon Sep 17 00:00:00 2001 From: gorhill Date: Mon, 6 Feb 2017 15:34:31 -0500 Subject: [PATCH] fix #2360 --- src/js/traffic.js | 62 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 11 deletions(-) diff --git a/src/js/traffic.js b/src/js/traffic.js index 29918bfbe..76c5ae73d 100644 --- a/src/js/traffic.js +++ b/src/js/traffic.js @@ -443,17 +443,22 @@ var processCSP = function(pageStore, details) { blockInlineScript = µb.isBlockResult(inlineScriptResult); } - context.requestType = 'websocket'; µb.staticNetFilteringEngine.matchStringExactType(context, requestURL, 'websocket'); var websocketResult = µb.staticNetFilteringEngine.toResultString(loggerEnabled), blockWebsocket = µb.isBlockResult(websocketResult); + // https://github.com/gorhill/uBlock/issues/2360 + µb.staticNetFilteringEngine.matchStringExactType(context, 'blob:', 'script'); + var workerResult = µb.staticNetFilteringEngine.toResultString(loggerEnabled), + blockWorker = µb.isBlockResult(workerResult); + var headersChanged; - if ( blockInlineScript || blockWebsocket ) { + if ( blockInlineScript || blockWebsocket || blockWorker ) { headersChanged = foilWithCSP( details.responseHeaders, blockInlineScript, - blockWebsocket + blockWebsocket, + blockWorker ); } @@ -480,6 +485,17 @@ var processCSP = function(pageStore, details) { context.pageHostname ); } + if ( workerResult !== '' ) { + µb.logger.writeOne( + tabId, + 'net', + workerResult, + 'worker', + requestURL, + context.rootHostname, + context.pageHostname + ); + } } context.dispose(); @@ -524,26 +540,38 @@ var foilLargeMediaElement = function(pageStore, details) { /******************************************************************************/ -var foilWithCSP = function(headers, noInlineScript, noWebsocket) { - var i = headerIndexFromName('content-security-policy', headers), +var foilWithCSP = function(headers, noInlineScript, noWebsocket, noWorker) { + var me = foilWithCSP, + i = headerIndexFromName('content-security-policy', headers), before = i === -1 ? '' : headers[i].value.trim(), after = before; if ( noInlineScript ) { after = foilWithCSPDirective( after, - /script-src[^;]*;?\s*/, + me.reScriptSrc, "script-src 'unsafe-eval' *", - /'unsafe-inline'\s*|'nonce-[^']+'\s*/g + me.reScriptSrcRemove ); } if ( noWebsocket ) { after = foilWithCSPDirective( after, - /connect-src[^;]*;?\s*/, + me.reConnectSrc, 'connect-src http:', - /wss?:[^\s]*\s*/g + me.reConnectSrcRemove + ); + } + + // https://www.w3.org/TR/CSP2/#directive-child-src + // https://www.w3.org/TR/CSP3/#directive-worker-src + if ( noWorker ) { + after = foilWithCSPDirective( + after, + me.reWorkerSrc, + 'child-src http:', + me.reWorkerSrcRemove ); } @@ -556,9 +584,9 @@ var foilWithCSP = function(headers, noInlineScript, noWebsocket) { // https://w3c.github.io/webappsec-csp/#directive-frame-src after = foilWithCSPDirective( after, - /frame-src[^;]*;?\s*/, + me.reFrameSrc, 'frame-src http:', - /data:[^\s]*\s*|blob:[^\s]*\s*/g + me.reFrameSrcRemove ); } @@ -573,6 +601,18 @@ var foilWithCSP = function(headers, noInlineScript, noWebsocket) { return changed; }; +(function() { + var fn = foilWithCSP; + fn.reScriptSrc = /script-src[^;]*;?\s*/; + fn.reScriptSrcRemove = /'unsafe-inline'\s*|'nonce-[^']+'\s*/g; + fn.reConnectSrc = /connect-src[^;]*;?\s*/; + fn.reConnectSrcRemove = /wss?:[^\s]*\s*/g; + fn.reWorkerSrc = /child-src[^;]*;?\s*/; + fn.reWorkerSrcRemove = /blob:[^\s]*\s*/g; + fn.reFrameSrc = /frame-src[^;]*;?\s*/; + fn.reFrameSrcRemove = /data:[^\s]*\s*|blob:[^\s]*\s*/g; +})(); + /******************************************************************************/ // Past issues to keep in mind: