Browse Source

fix ##773 + added logger output for CSP modification

pull/2/head
gorhill 7 years ago
parent
commit
8608b29ded
No known key found for this signature in database GPG Key ID: 25E1490B761470C2
  1. 1
      src/js/logger-ui.js
  2. 49
      src/js/traffic.js

1
src/js/logger-ui.js

@ -51,6 +51,7 @@ var prettyRequestTypes = {
var dontEmphasizeSet = new Set([ var dontEmphasizeSet = new Set([
'COOKIE', 'COOKIE',
'CSP',
'REFERER' 'REFERER'
]); ]);

49
src/js/traffic.js

@ -212,9 +212,9 @@ var onBeforeSendHeadersHandler = function(details) {
headerIndex !== -1 && headerIndex !== -1 &&
µm.mustBlock(rootHostname, requestHostname, 'cookie') µm.mustBlock(rootHostname, requestHostname, 'cookie')
) { ) {
modified = true;
headerValue = requestHeaders[headerIndex].value; headerValue = requestHeaders[headerIndex].value;
requestHeaders.splice(headerIndex, 1); requestHeaders.splice(headerIndex, 1);
modified = true;
µm.cookieHeaderFoiledCounter++; µm.cookieHeaderFoiledCounter++;
if ( requestType === 'doc' ) { if ( requestType === 'doc' ) {
µm.logger.writeOne(tabId, 'net', '', headerValue, 'COOKIE', true); µm.logger.writeOne(tabId, 'net', '', headerValue, 'COOKIE', true);
@ -236,7 +236,10 @@ var onBeforeSendHeadersHandler = function(details) {
// "Origin header field." // "Origin header field."
// https://github.com/gorhill/uMatrix/issues/358 // https://github.com/gorhill/uMatrix/issues/358
// Do not spoof `Origin` header for the time being. This will be revisited.
// Do not spoof `Origin` header for the time being.
// https://github.com/gorhill/uMatrix/issues/773
// For non-GET requests, remove `Referer` header instead of spoofing it.
headerIndex = headerIndexFromName('referer', requestHeaders); headerIndex = headerIndexFromName('referer', requestHeaders);
if ( headerIndex !== -1 ) { if ( headerIndex !== -1 ) {
@ -247,17 +250,24 @@ var onBeforeSendHeadersHandler = function(details) {
) { ) {
var toDomain = µmuri.domainFromHostname(requestHostname); var toDomain = µmuri.domainFromHostname(requestHostname);
if ( toDomain !== '' && toDomain !== µmuri.domainFromURI(headerValue) ) { if ( toDomain !== '' && toDomain !== µmuri.domainFromURI(headerValue) ) {
var newValue = requestScheme + '://' + requestHostname + '/';
requestHeaders[headerIndex].value = newValue;
modified = true; modified = true;
var newValue;
if ( details.method === 'GET' ) {
newValue = requestHeaders[headerIndex].value =
requestScheme + '://' + requestHostname + '/';
} else {
requestHeaders.splice(headerIndex, 1);
}
µm.refererHeaderFoiledCounter++; µm.refererHeaderFoiledCounter++;
if ( requestType === 'doc' ) { if ( requestType === 'doc' ) {
µm.logger.writeOne(tabId, 'net', '', headerValue, 'REFERER', true); µm.logger.writeOne(tabId, 'net', '', headerValue, 'REFERER', true);
if ( newValue !== undefined ) {
µm.logger.writeOne(tabId, 'net', '', newValue, 'REFERER', false); µm.logger.writeOne(tabId, 'net', '', newValue, 'REFERER', false);
} }
} }
} }
} }
}
if ( modified ) { if ( modified ) {
return { requestHeaders: requestHeaders }; return { requestHeaders: requestHeaders };
@ -276,14 +286,10 @@ var onBeforeSendHeadersHandler = function(details) {
var onHeadersReceived = function(details) { var onHeadersReceived = function(details) {
// Ignore schemes other than 'http...' // Ignore schemes other than 'http...'
var requestURL = details.url;
if ( requestURL.lastIndexOf('http', 0) !== 0 ) {
return;
}
var µm = µMatrix;
var tabId = details.tabId;
var requestType = requestTypeNormalizer[details.type] || 'other';
var µm = µMatrix,
tabId = details.tabId,
requestURL = details.url,
requestType = requestTypeNormalizer[details.type] || 'other';
// https://github.com/gorhill/uMatrix/issues/145 // https://github.com/gorhill/uMatrix/issues/145
// Check if the main_frame is a download // Check if the main_frame is a download
@ -292,9 +298,7 @@ var onHeadersReceived = function(details) {
} }
var tabContext = µm.tabContextManager.lookup(tabId); var tabContext = µm.tabContextManager.lookup(tabId);
if ( tabContext === null ) {
return;
}
if ( tabContext === null ) { return; }
if ( µm.mustAllow(tabContext.rootHostname, µm.URI.hostnameFromURI(requestURL), 'script') ) { if ( µm.mustAllow(tabContext.rootHostname, µm.URI.hostnameFromURI(requestURL), 'script') ) {
return; return;
@ -305,20 +309,21 @@ var onHeadersReceived = function(details) {
// We block only inline-script tags, all the external javascript will be // We block only inline-script tags, all the external javascript will be
// blocked by our request handler. // blocked by our request handler.
var csp = "script-src 'unsafe-eval' *",
var csp = "script-src 'unsafe-eval' blob: *",
headers = details.responseHeaders, headers = details.responseHeaders,
i = headerIndexFromName('content-security-policy', headers); i = headerIndexFromName('content-security-policy', headers);
// A CSP header is already present: just add our own directive as a // A CSP header is already present: just add our own directive as a
// separate disposition (i.e. use comma). // separate disposition (i.e. use comma).
if ( i !== -1 ) { if ( i !== -1 ) {
csp = headers[i].value.trim() + ', ' + csp;
headers.splice(i, 1);
headers[i].value += ', ' + csp;
} else {
headers.push({ name: 'Content-Security-Policy', value: csp });
}
if ( requestType === 'doc' ) {
µm.logger.writeOne(tabId, 'net', '', csp, 'CSP', false);
} }
// TODO: We are currently forced to add the CSP header at the end of the
// headers array, because this is what the platform specific code
// expect (Firefox).
headers.push({ name: 'Content-Security-Policy', value: csp });
return { responseHeaders: headers }; return { responseHeaders: headers };
}; };

Loading…
Cancel
Save