Let content script inject failsafe CSP in the DOM.

hackademix · hackademix · commit 6e80d3f13077 · 2018-08-27T18:55:00.000+02:00
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
@@ -0,0 +1,26 @@
+'use strict';
+
+class DocumentCSP {
+  constructor(document) {
+    this.document = document;
+    this.builder = new CapsCSP();
+  }
+  
+  apply(capabilities) {
+    let csp = this.builder;
+    let blocker = csp.buildFromCapabilities(capabilities);
+    if (!blocker) return;
+    
+    let document = this.document;
+    let header = csp.asHeader(blocker);
+    let meta = document.createElementNS("http://www.w3.org/1999/xhtml", "meta");
+    meta.setAttribute("http-equiv", header.name);
+    meta.setAttribute("content", header.value);
+    let parent = document.head || document.documentElement;
+    try {
+      parent.insertBefore(meta, parent.firstChild);
+    } catch (e) {
+      error(e, "Error inserting CSP %s in the DOM", header && header.value);
+    }
+  }
+}
diff --git a/src/content/content.js b/src/content/content.js
@@ -61,14 +61,21 @@
       
       if (!this.perms.DEFAULT || this.perms.tabInfo.unrestricted) {
         this.allows = () => true;
+        this.capabilities =  Object.assign(
+          new Set(["script"]), { has() { return true; } });
+      } else {
+        let perms = this.perms.CURRENT || this.perms.DEFAULT;
+        this.capabilities = new Set(perms.capabilities);
+        new DocumentCSP(document).apply(this.capabilities);
       }
       ns.fire("perms");
     },
     perms: { DEFAULT: null, CURRENT: null, tabInfo: {}, MARKER: "" },
+        
     allows(cap) {
-      let perms = this.perms.CURRENT; 
-      return perms  && perms.capabilities.includes(cap);
+      return this.capabilities && this.capabilities.has(cap);
     },
+    
     getWindowName() {
       return top !== window || !this.perms.MARKER ? window.name
         : window.name.split(this.perms.MARKER + ",").pop();
diff --git a/src/manifest.json b/src/manifest.json
@@ -67,6 +67,9 @@
       "js": [
         "lib/log.js",
         "lib/Messages.js",
+        "lib/CSP.js",
+        "common/CapsCSP.js",
+        "content/DocumentCSP.js",
         "content/onScriptDisabled.js",
         "content/content.js",
         "content/webglHook.js",
