tridactyl/src/requests.ts

import * as config from "./config"

export function addurltocsp(response) {
    let headers = response["responseHeaders"]
    let cspind = headers.findIndex(
        header => header.name == "Content-Security-Policy",
    )
    // if it's found
    if (cspind > -1) {
        // Split the csp header up so we can manage it individually.
        let csparr = [headers[cspind]["value"].split("; ")][0]

        for (let i = 0; i < csparr.length; i++) {
            // Add 'unsafe-inline' as a directive since we use it
            if (csparr[i].indexOf("style-src") > -1) {
                if (csparr[i].indexOf("'self'") > -1) {
                    csparr[i] = csparr[i].replace(
                        "'self'",
                        "'self' 'unsafe-inline'",
                    )
                }
            }
            // Remove the element if it's a sandbox directive
            if (csparr[i] === "sandbox") {
                csparr.splice(i, 1)
            }
        }
        // Join the header up after clobberin'
        headers[cspind]["value"] = csparr.join("; ")
    }
    return { responseHeaders: headers }
}
Add CSP config option Can only be enabled at runtime; restart is required if you want to disable it. 2018-05-08 17:49:59 +01:00			`import * as config from "./config"`

Improve CSP documentation 2018-05-08 18:15:00 +01:00			`export function addurltocsp(response) {`
Bypass CSP Allows Tridactyl to run on places such as raw.github* until Mozilla fix issue https://bugzilla.mozilla.org/show_bug.cgi?id=1267027. 2017-11-21 13:59:57 +00:00			`let headers = response["responseHeaders"]`
Improve CSP documentation 2018-05-08 18:15:00 +01:00			`let cspind = headers.findIndex(`
			`header => header.name == "Content-Security-Policy",`
			`)`
Bypass CSP Allows Tridactyl to run on places such as raw.github* until Mozilla fix issue https://bugzilla.mozilla.org/show_bug.cgi?id=1267027. 2017-11-21 13:59:57 +00:00			`// if it's found`
			`if (cspind > -1) {`
			`// Split the csp header up so we can manage it individually.`
			`let csparr = [headers[cspind]["value"].split("; ")][0]`

Improve CSP documentation 2018-05-08 18:15:00 +01:00			`for (let i = 0; i < csparr.length; i++) {`
			`// Add 'unsafe-inline' as a directive since we use it`
Bypass CSP Allows Tridactyl to run on places such as raw.github* until Mozilla fix issue https://bugzilla.mozilla.org/show_bug.cgi?id=1267027. 2017-11-21 13:59:57 +00:00			`if (csparr[i].indexOf("style-src") > -1) {`
			`if (csparr[i].indexOf("'self'") > -1) {`
Improve CSP documentation 2018-05-08 18:15:00 +01:00			`csparr[i] = csparr[i].replace(`
			`"'self'",`
			`"'self' 'unsafe-inline'",`
			`)`
Bypass CSP Allows Tridactyl to run on places such as raw.github* until Mozilla fix issue https://bugzilla.mozilla.org/show_bug.cgi?id=1267027. 2017-11-21 13:59:57 +00:00			`}`
			`}`
			`// Remove the element if it's a sandbox directive`
			`if (csparr[i] === "sandbox") {`
Improve CSP documentation 2018-05-08 18:15:00 +01:00			`csparr.splice(i, 1)`
Bypass CSP Allows Tridactyl to run on places such as raw.github* until Mozilla fix issue https://bugzilla.mozilla.org/show_bug.cgi?id=1267027. 2017-11-21 13:59:57 +00:00			`}`
			`}`
			`// Join the header up after clobberin'`
			`headers[cspind]["value"] = csparr.join("; ")`
			`}`
Improve CSP documentation 2018-05-08 18:15:00 +01:00			`return { responseHeaders: headers }`
Add CSP config option Can only be enabled at runtime; restart is required if you want to disable it. 2018-05-08 17:49:59 +01:00			`}`