0ct0pu5/bromite
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deny network access to injected scripts

Browse source
This commit is contained in:
Carmelo Messina 2020-12-31 14:19:05 +01:00
parent 10a171ff5d
commit 36816f6e73
1 changed files with 19 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
build/patches/add-user-scripts.v5.patch
View file

@ -1,5 +1,5 @@
From: uazo <uazo@users.noreply.github.com>
Date: Fri, 18 Dec 2020 18:11:49 +0000
Date: Mon, 28 Dec 2020 12:29:56 +0000
Subject: Experimental user scripts support preview
---
@ -99,12 +99,12 @@ Subject: Experimental user scripts support preview
.../renderer/user_scripts_dispatcher.h | 48 ++
.../renderer/user_scripts_renderer_client.cc | 76 ++
.../renderer/user_scripts_renderer_client.h | 33 +
.../renderer/web_ui_injection_host.cc | 26 +
.../renderer/web_ui_injection_host.cc | 40 +
.../renderer/web_ui_injection_host.h | 28 +
.../strings/userscripts_strings.grdp | 50 ++
tools/gritsettings/resource_ids.spec | 3 +
.../chromium/ui/base/SelectFileDialog.java | 3 +-
101 files changed, 8888 insertions(+), 4 deletions(-)
101 files changed, 8902 insertions(+), 4 deletions(-)
create mode 100755 components/user_scripts/android/BUILD.gn
create mode 100755 components/user_scripts/android/java/res/drawable-hdpi/userscript_off.png
create mode 100755 components/user_scripts/android/java/res/drawable-hdpi/userscript_on.png
@ -9663,12 +9663,20 @@ diff --git a/components/user_scripts/renderer/web_ui_injection_host.cc b/compone
new file mode 100755
--- /dev/null
+++ b/components/user_scripts/renderer/web_ui_injection_host.cc
@@ -0,0 +1,26 @@
@@ -0,0 +1,40 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "web_ui_injection_host.h"
+#include "base/no_destructor.h"
+
+namespace {
+
+// The default secure CSP to be used in order to prevent remote scripts.
+const char kDefaultSecureCSP[] = "script-src 'self'; object-src 'self';";
+
+}
+
+WebUIInjectionHost::WebUIInjectionHost(const HostID& host_id)
+ : InjectionHost(host_id),
@ -9680,7 +9688,13 @@ new file mode 100755
+
+const std::string* WebUIInjectionHost::GetContentSecurityPolicy() const {
+ // Use the main world CSP.
+ return nullptr;
+ // return nullptr;
+
+ // The isolated world will use its own CSP which blocks remotely hosted
+ // code.
+ static const base::NoDestructor<std::string> default_isolated_world_csp(
+ kDefaultSecureCSP);
+ return default_isolated_world_csp.get();
+}
+
+const GURL& WebUIInjectionHost::url() const {