smartfridge/armcord
1
1
Fork 0
mirror of https://github.com/smartfrigde/armcord.git synced 2024-08-14 23:56:58 +00:00
Code Issues Projects Releases Wiki Activity

Fully remove CSP as opposed to setting custom policies (#293)

Browse source 
* Just remove CSP instead of trying to work with it

* Simplify CSP removal further
This commit is contained in:
Cain Atkinson 2022-12-11 17:59:33 +00:00 committed by GitHub
parent b449fdeb94
commit 5610f372bf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

49
src/extensions/mods.ts
View file

@ -1,55 +1,12 @@
import electron from "electron";
import {getConfig} from "../utils";
interface PolicyResult {
[key: string]: string[];
}
const parsePolicy = (policy: string): PolicyResult => {
const result: PolicyResult = {};
policy.split(";").forEach((directive) => {
const [directiveKey, ...directiveValue] = directive.trim().split(/\s+/g);
if (directiveKey && !Object.prototype.hasOwnProperty.call(result, directiveKey)) {
result[directiveKey] = directiveValue;
}
});
return result;
};
const stringifyPolicy = (policy: PolicyResult): string =>
Object.entries(policy)
.filter(([, values]) => values?.length)
.map((directive) => directive.flat().join(" "))
.join("; ");
const unstrictCSP = async () => {
const unstrictCSP = () => {
console.log("Setting up CSP unstricter...");
const cspAllowAll = ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"];
const isVencord = await getConfig("mods").then((s) => s.includes("vencord"));
electron.session.defaultSession.webRequest.onHeadersReceived(({responseHeaders}, done) => {
let cspHeaders = responseHeaders!["content-security-policy"];
if (cspHeaders) {
const csp = parsePolicy(cspHeaders[0]);
for (const directive of cspAllowAll) {
csp[directive] = ["*", "blob:", "data:", "'unsafe-inline'"];
}
if (isVencord) {
// unpkg and cdnjs are used for QuickCss and some plugins' dependencies (e.g. GifEncoder & APNG for FakeNitro)
csp["script-src"] ??= [];
csp["script-src"].push("'unsafe-eval'", "https://unpkg.com", "https://cdnjs.cloudflare.com");
}
// Fix Discord's broken CSP which disallows unsafe-inline due to having a nonce (which they don't even use?)
csp["script-src"] = csp["script-src"]?.filter((value) => !value.includes("nonce-"));
cspHeaders[0] = stringifyPolicy(csp);
}
done({responseHeaders});
delete responseHeaders!["content-security-policy"];
done({ responseHeaders });
});
};