[epiphany/pgriffis/web-extension/csp] WebExtensions: Properly set the Content-Security-Policy

From: Marge Bot <marge-bot src gnome org>
To: commits-list gnome org
Cc:
Subject: [epiphany/pgriffis/web-extension/csp] WebExtensions: Properly set the Content-Security-Policy
Date: Fri, 15 Jul 2022 19:15:00 +0000 (UTC)

commit 74e1a69cb5965cf8f79317a483711c5aafa10f64
Author: Patrick Griffis <pgriffis igalia com>
Date:   Tue Jun 21 18:57:32 2022 -0500

    WebExtensions: Properly set the Content-Security-Policy
    
    Fixes #1777
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1151>

 src/webextension/ephy-web-extension-manager.c |  2 ++
 src/webextension/ephy-web-extension.c         | 13 +++++++++++++
 src/webextension/ephy-web-extension.h         |  2 ++
 3 files changed, 17 insertions(+)
---
diff --git a/src/webextension/ephy-web-extension-manager.c b/src/webextension/ephy-web-extension-manager.c
index be0116b66..81d446983 100644
--- a/src/webextension/ephy-web-extension-manager.c
+++ b/src/webextension/ephy-web-extension-manager.c
@@ -1016,6 +1016,8 @@ ephy_web_extensions_manager_create_web_extensions_webview (EphyWebExtension *web
                            "web-context", web_context,
                            "settings", settings,
                            "related-view", ephy_web_extension_manager_get_background_web_view (manager, 
web_extension),
+                           "default-content-security-policy", ephy_web_extension_get_content_security_policy 
(web_extension),
+                           "web-extension-mode", WEBKIT_WEB_EXTENSION_MODE_MANIFESTV2,
                            NULL);
 
   webkit_web_view_set_cors_allowlist (WEBKIT_WEB_VIEW (web_view), ephy_web_extension_get_host_permissions 
(web_extension));
diff --git a/src/webextension/ephy-web-extension.c b/src/webextension/ephy-web-extension.c
index e876f94ed..85fdfa050 100644
--- a/src/webextension/ephy-web-extension.c
+++ b/src/webextension/ephy-web-extension.c
@@ -90,6 +90,7 @@ struct _EphyWebExtension {
   char *short_name;
   char *version;
   char *homepage_url;
+  char *content_security_policy;
   GList *icons;
   GList *content_scripts;
   char *background_page;
@@ -338,6 +339,12 @@ ephy_web_extension_get_author (EphyWebExtension *self)
   return self->author;
 }
 
+const char *
+ephy_web_extension_get_content_security_policy (EphyWebExtension *self)
+{
+  return self->content_security_policy;
+}
+
 const char *
 ephy_web_extension_get_manifest (EphyWebExtension *self)
 {
@@ -922,6 +929,7 @@ ephy_web_extension_dispose (GObject *object)
   g_clear_pointer (&self->version, g_free);
   g_clear_pointer (&self->homepage_url, g_free);
   g_clear_pointer (&self->local_storage_path, g_free);
+  g_clear_pointer (&self->content_security_policy, g_free);
 
   g_clear_list (&self->icons, (GDestroyNotify)web_extension_icon_free);
   g_clear_list (&self->content_scripts, (GDestroyNotify)web_extension_content_script_free);
@@ -1019,6 +1027,11 @@ ephy_web_extension_parse_manifest (EphyWebExtension  *self,
   self->homepage_url = ephy_web_extension_manifest_get_localized_string (self, root_object, "homepage_url");
   self->author = ephy_web_extension_manifest_get_localized_string (self, root_object, "author");
 
+  /* Default matches Firefox: 
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#default_content_security_policy
 */
+  self->content_security_policy = g_strdup (ephy_json_object_get_string (root_object, 
"content_security_policy"));
+  if (!self->content_security_policy)
+    self->content_security_policy = g_strdup ("script-src 'self'; object-src 'self';");
+
   if (!*self->version || !*self->name) {
     g_set_error (error, WEB_EXTENSION_ERROR, WEB_EXTENSION_ERROR_INVALID_MANIFEST, "Missing name or 
version");
     return FALSE;
diff --git a/src/webextension/ephy-web-extension.h b/src/webextension/ephy-web-extension.h
index 2f6a3966d..de6461cbb 100644
--- a/src/webextension/ephy-web-extension.h
+++ b/src/webextension/ephy-web-extension.h
@@ -96,6 +96,8 @@ const char            *ephy_web_extension_get_homepage_url                (EphyW
 
 const char            *ephy_web_extension_get_author                      (EphyWebExtension *self);
 
+const char            *ephy_web_extension_get_content_security_policy     (EphyWebExtension *self);
+
 void                   ephy_web_extension_load_async                      (GFile               *target,
                                                                            GFileInfo           *info,
                                                                            GCancellable        *cancellable,
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]