smartfridge/armcord
1
1
Fork 0
mirror of https://github.com/smartfrigde/armcord.git synced 2024-08-14 23:56:58 +00:00
Code Issues Projects Releases Wiki Activity

feat(csp): allow blob and data uri workers (#271)

Browse source 
* allow unsafe worker-src

* modify child-src instead

* safer csp handling
This commit is contained in:
Justice Almanzar 2022-11-28 05:24:10 -05:00 committed by GitHub
parent aae56ea0e0
commit 70e5b7673d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

41
src/extensions/mods.ts
View file

@ -1,29 +1,52 @@
import electron from "electron"; import electron from "electron";
import {getConfig} from "../utils"; import {getConfig} from "../utils";
interface PolicyResult {
[key: string]: string[];
}
const parsePolicy = (policy: string): PolicyResult => {
const result: PolicyResult = {};
policy.split(";").forEach((directive) => {
const [directiveKey, ...directiveValue] = directive.trim().split(/\s+/g);
if (directiveKey && !Object.prototype.hasOwnProperty.call(result, directiveKey)) {
result[directiveKey] = directiveValue;
}
});
return result;
};
const stringifyPolicy = (policy: PolicyResult): string =>
Object.entries(policy)
.filter(([, values]) => values?.length)
.map((directive) => directive.flat().join(" "))
.join("; ");
const unstrictCSP = async () => { const unstrictCSP = async () => {
console.log("Setting up CSP unstricter..."); console.log("Setting up CSP unstricter...");
const cspAllowAll = ["style-src", "connect-src", "img-src", "font-src", "media-src"]; const cspAllowAll = ["style-src", "connect-src", "img-src", "font-src", "media-src", "worker-src"];
const isVencord = await getConfig("mods").then((s) => s.includes("vencord")); const isVencord = await getConfig("mods").then((s) => s.includes("vencord"));
electron.session.defaultSession.webRequest.onHeadersReceived(({responseHeaders}, done) => { electron.session.defaultSession.webRequest.onHeadersReceived(({responseHeaders}, done) => {
let csp = responseHeaders!["content-security-policy"]; let cspHeaders = responseHeaders!["content-security-policy"];
if (cspHeaders) {
const csp = parsePolicy(cspHeaders[0]);
if (csp) {
for (const directive of cspAllowAll) { for (const directive of cspAllowAll) {
csp[0] = csp[0].replace(new RegExp(`${directive}.+?;`), `${directive} * blob: data: 'unsafe-inline';`); csp[directive] = ["*", "blob:", "data:", "'unsafe-inline'"];
} }
if (isVencord) { if (isVencord) {
// unpkg and cdnjs are used for QuickCss and some plugins' dependencies (e.g. GifEncoder & APNG for FakeNitro) // unpkg and cdnjs are used for QuickCss and some plugins' dependencies (e.g. GifEncoder & APNG for FakeNitro)
csp[0] = csp[0].replace( csp["script-src"] ??= [];
/script-src.+?(?=;)/, csp["script-src"].push("'unsafe-eval'", "https://unpkg.com", "https://cdnjs.cloudflare.com");
"$& 'unsafe-eval' https://unpkg.com https://cdnjs.cloudflare.com"
);
} }
// Fix Discord's broken CSP which disallows unsafe-inline due to having a nonce (which they don't even use?) // Fix Discord's broken CSP which disallows unsafe-inline due to having a nonce (which they don't even use?)
csp[0] = csp[0].replace(/'nonce-.+?' /, ""); csp["script-src"] = csp["script-src"]?.filter((value) => !value.includes("nonce-"));
cspHeaders[0] = stringifyPolicy(csp);
} }
done({responseHeaders}); done({responseHeaders});