2018-01-01 12:19:48 +13:00
|
|
|
/*******************************************************************************
|
|
|
|
|
|
|
|
uMatrix - a Chromium browser extension to black/white list requests.
|
2018-01-02 12:55:34 +13:00
|
|
|
Copyright (C) 2017-2018 Raymond Hill
|
2018-01-01 12:19:48 +13:00
|
|
|
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program. If not, see {http://www.gnu.org/licenses/}.
|
|
|
|
|
|
|
|
Home: https://github.com/gorhill/uMatrix
|
|
|
|
*/
|
|
|
|
|
|
|
|
'use strict';
|
|
|
|
|
|
|
|
/******************************************************************************/
|
|
|
|
/******************************************************************************/
|
|
|
|
|
|
|
|
// Injected into content pages
|
|
|
|
|
|
|
|
(function() {
|
|
|
|
|
|
|
|
if ( typeof vAPI !== 'object' ) { return; }
|
|
|
|
|
2018-01-02 12:55:34 +13:00
|
|
|
vAPI.selfWorkerSrcReported = vAPI.selfWorkerSrcReported || false;
|
2018-01-02 07:37:19 +13:00
|
|
|
|
2018-01-03 02:16:25 +13:00
|
|
|
var reGoodWorkerSrc = /(?:child|worker)-src[^;,]+?'none'/;
|
2018-01-02 07:37:19 +13:00
|
|
|
|
|
|
|
var handler = function(ev) {
|
|
|
|
if (
|
|
|
|
ev.isTrusted !== true ||
|
2018-01-02 12:55:34 +13:00
|
|
|
ev.originalPolicy.includes('report-uri about:blank') === false
|
2018-01-02 07:37:19 +13:00
|
|
|
) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Firefox and Chromium differs in how they fill the
|
2018-01-03 02:16:25 +13:00
|
|
|
// 'effectiveDirective' property.
|
|
|
|
if (
|
|
|
|
ev.effectiveDirective.startsWith('worker-src') === false &&
|
|
|
|
ev.effectiveDirective.startsWith('child-src') === false
|
2018-01-02 12:55:34 +13:00
|
|
|
) {
|
2018-01-02 07:37:19 +13:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-01-02 12:55:34 +13:00
|
|
|
// Further validate that the policy violation is relevant to uMatrix:
|
|
|
|
// the event still could have been fired as a result of a CSP header
|
|
|
|
// not injected by uMatrix.
|
2018-01-03 02:16:25 +13:00
|
|
|
if ( reGoodWorkerSrc.test(ev.originalPolicy) === false ) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// We do not want to report internal resources more than once.
|
|
|
|
// However, we do want to report external resources each time.
|
|
|
|
// TODO: this could eventually lead to duplicated reports for external
|
|
|
|
// resources if another extension uses the same approach as
|
|
|
|
// uMatrix. Think about what could be done to avoid duplicate
|
|
|
|
// reports.
|
|
|
|
if ( ev.blockedURI.includes('://') === false ) {
|
|
|
|
if ( vAPI.selfWorkerSrcReported ) { return true; }
|
|
|
|
vAPI.selfWorkerSrcReported = true;
|
2018-01-02 07:37:19 +13:00
|
|
|
}
|
|
|
|
|
2018-01-01 12:19:48 +13:00
|
|
|
vAPI.messaging.send(
|
|
|
|
'contentscript.js',
|
|
|
|
{
|
|
|
|
what: 'securityPolicyViolation',
|
2018-01-03 02:16:25 +13:00
|
|
|
directive: 'worker-src',
|
2018-01-02 12:55:34 +13:00
|
|
|
blockedURI: ev.blockedURI,
|
2018-01-02 07:37:19 +13:00
|
|
|
documentURI: ev.documentURI,
|
|
|
|
blocked: ev.disposition === 'enforce'
|
2018-01-01 12:19:48 +13:00
|
|
|
}
|
|
|
|
);
|
2018-01-02 07:37:19 +13:00
|
|
|
|
|
|
|
return true;
|
|
|
|
};
|
|
|
|
|
|
|
|
document.addEventListener(
|
|
|
|
'securitypolicyviolation',
|
|
|
|
function(ev) {
|
|
|
|
if ( !handler(ev) ) { return; }
|
|
|
|
ev.stopPropagation();
|
|
|
|
ev.preventDefault();
|
|
|
|
},
|
|
|
|
true
|
|
|
|
);
|
2018-01-01 12:19:48 +13:00
|
|
|
|
|
|
|
})();
|