pull/2/head
Raymond Hill 7 years ago
parent 35ddcc80eb
commit 6df5e5212c
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2

@ -129,7 +129,7 @@ body .toolbar button.fa {
stroke: none; stroke: none;
} }
#mtxSwitches > li.relevant > svg .dot { #mtxSwitches > li.relevant > svg .dot {
fill: #888; fill: #aaa;
} }
#mtxSwitches > li.switchTrue.relevant > svg .dot { #mtxSwitches > li.switchTrue.relevant > svg .dot {
fill: #eee; fill: #eee;

@ -110,7 +110,7 @@ return {
}, },
clearBrowserCacheCycle: 0, clearBrowserCacheCycle: 0,
cspNoInlineScript: "script-src 'unsafe-eval' blob: *; report-uri about:blank", cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
cspNoWorker: undefined, cspNoWorker: undefined,
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond, updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
firstUpdateAfter: 11 * oneMinute, firstUpdateAfter: 11 * oneMinute,

@ -30,11 +30,9 @@
if ( typeof vAPI !== 'object' ) { return; } if ( typeof vAPI !== 'object' ) { return; }
vAPI.selfScriptSrcReported = vAPI.selfScriptSrcReported || false;
vAPI.selfWorkerSrcReported = vAPI.selfWorkerSrcReported || false; vAPI.selfWorkerSrcReported = vAPI.selfWorkerSrcReported || false;
var reBadScriptSrc = /script-src[^;,]+?'(?:unsafe-inline|nonce-[^']+)'/, var reGoodWorkerSrc = /(?:child|worker)-src[^;,]+?'none'/;
reGoodWorkerSrc = /(?:child|worker)-src[^;,]+?'none'/;
var handler = function(ev) { var handler = function(ev) {
if ( if (
@ -44,54 +42,38 @@
return false; return false;
} }
// We do not want to report internal resources more than once.
// However, we do want to report external resources each time.
// TODO: this could eventually lead to duplicated reports for external
// resources if another extension uses the same approach as
// uMatrix. Think about what could be done to avoid duplicate
// reports.
var internal = ev.blockedURI.includes('://') === false;
// Firefox and Chromium differs in how they fill the // Firefox and Chromium differs in how they fill the
// 'effectiveDirective' property. Need to normalize here. // 'effectiveDirective' property.
var directive = ev.effectiveDirective; if (
if ( directive.startsWith('script-src') ) { ev.effectiveDirective.startsWith('worker-src') === false &&
if ( internal && vAPI.selfScriptSrcReported ) { return true; } ev.effectiveDirective.startsWith('child-src') === false
directive = 'script-src';
} else if (
directive.startsWith('worker-src') ||
directive.startsWith('child-src')
) { ) {
if ( internal && vAPI.selfWorkerSrcReported ) { return true; }
directive = 'worker-src';
} else {
return false; return false;
} }
// Further validate that the policy violation is relevant to uMatrix: // Further validate that the policy violation is relevant to uMatrix:
// the event still could have been fired as a result of a CSP header // the event still could have been fired as a result of a CSP header
// not injected by uMatrix. // not injected by uMatrix.
if ( directive === 'script-src' ) {
if ( reBadScriptSrc.test(ev.originalPolicy) === true ) {
return false;
}
if ( internal ) {
vAPI.selfScriptSrcReported = true;
}
} else /* if ( directive === 'worker-src' ) */ {
if ( reGoodWorkerSrc.test(ev.originalPolicy) === false ) { if ( reGoodWorkerSrc.test(ev.originalPolicy) === false ) {
return false; return false;
} }
if ( internal ) {
// We do not want to report internal resources more than once.
// However, we do want to report external resources each time.
// TODO: this could eventually lead to duplicated reports for external
// resources if another extension uses the same approach as
// uMatrix. Think about what could be done to avoid duplicate
// reports.
if ( ev.blockedURI.includes('://') === false ) {
if ( vAPI.selfWorkerSrcReported ) { return true; }
vAPI.selfWorkerSrcReported = true; vAPI.selfWorkerSrcReported = true;
} }
}
vAPI.messaging.send( vAPI.messaging.send(
'contentscript.js', 'contentscript.js',
{ {
what: 'securityPolicyViolation', what: 'securityPolicyViolation',
directive: directive, directive: 'worker-src',
blockedURI: ev.blockedURI, blockedURI: ev.blockedURI,
documentURI: ev.documentURI, documentURI: ev.documentURI,
blocked: ev.disposition === 'enforce' blocked: ev.disposition === 'enforce'

@ -408,15 +408,15 @@ var collapser = (function() {
(function() { (function() {
if ( if (
vAPI.selfScriptSrcReported !== true && document.querySelector('script:not([src])') !== null ||
document.querySelector('script:not([src])') !== null document.querySelector('a[href^="javascript:"]') !== null ||
document.querySelector('[onabort],[onblur],[oncancel],[oncanplay],[oncanplaythrough],[onchange],[onclick],[onclose],[oncontextmenu],[oncuechange],[ondblclick],[ondrag],[ondragend],[ondragenter],[ondragexit],[ondragleave],[ondragover],[ondragstart],[ondrop],[ondurationchange],[onemptied],[onended],[onerror],[onfocus],[oninput],[oninvalid],[onkeydown],[onkeypress],[onkeyup],[onload],[onloadeddata],[onloadedmetadata],[onloadstart],[onmousedown],[onmouseenter],[onmouseleave],[onmousemove],[onmouseout],[onmouseover],[onmouseup],[onwheel],[onpause],[onplay],[onplaying],[onprogress],[onratechange],[onreset],[onresize],[onscroll],[onseeked],[onseeking],[onselect],[onshow],[onstalled],[onsubmit],[onsuspend],[ontimeupdate],[ontoggle],[onvolumechange],[onwaiting],[onafterprint],[onbeforeprint],[onbeforeunload],[onhashchange],[onlanguagechange],[onmessage],[onoffline],[ononline],[onpagehide],[onpageshow],[onrejectionhandled],[onpopstate],[onstorage],[onunhandledrejection],[onunload],[oncopy],[oncut],[onpaste]') !== null
) { ) {
vAPI.messaging.send('contentscript.js', { vAPI.messaging.send('contentscript.js', {
what: 'securityPolicyViolation', what: 'securityPolicyViolation',
directive: 'script-src', directive: 'script-src',
documentURI: window.location.href documentURI: window.location.href
}); });
vAPI.selfScriptSrcReported = true;
} }
collapser.addMany(document.querySelectorAll('img')); collapser.addMany(document.querySelectorAll('img'));

@ -310,8 +310,6 @@ var onHeadersReceived = function(details) {
// blocked by our request handler. // blocked by our request handler.
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) { if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
csp.push(µm.cspNoInlineScript); csp.push(µm.cspNoInlineScript);
} else {
cspReport.push(µm.cspNoInlineScript);
} }
// TODO: Firefox will eventually support `worker-src`: // TODO: Firefox will eventually support `worker-src`:

Loading…
Cancel
Save