From 8f3379aeb8dc47340bbb18091a0c0cd879f25f4e Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=A9bastien=20Marie?= Date: Fri, 24 Oct 2014 11:55:42 +0200 Subject: [PATCH] new setting 'content-security-policy' Add a new setting 'content-security-policy', that will set the 'Content-Security-Policy' HTTP-Header on the response, before webkit processing it. This setting allow to implement a request-policy based on WebKit security feature, by whitelisting where the application expects to load resources. --- doc/vimb.1 | 22 +++++++++++++++++++++- src/main.c | 16 ++++++++++++++++ src/main.h | 1 + src/setting.c | 1 + 4 files changed, 39 insertions(+), 1 deletion(-) diff --git a/doc/vimb.1 b/doc/vimb.1 index b123908..1ae0c09 100644 --- a/doc/vimb.1 +++ b/doc/vimb.1 @@ -630,7 +630,8 @@ Events: .TP .B LoadProvisional Fired if a new page is going to opened. No data has been received yet, the load -may still fail for transport issues. +may still fail for transport issues. This is the right event to set `content-security-policy' +setting. .TP .B LoadCommited Fired if first data chunk has arrived, meaning that the necessary transport @@ -1192,6 +1193,25 @@ Header completely from request. .PD .RE .TP +.B content-security-policy (string) +Prepend a `Content-Security-Policy' HTTP-Header to responses received from server. +This setting has to be setted early if managed with `autocmd' (at LoadProvisional), +in order to be managed by webkit. + +It could be used to implement a whitelist policy for visited uri. + +Note that this setting will not remplace existing headers, but add one. + +Please refer to `http://www.w3.org/TR/CSP/' for syntax. +.RS +.PP +Example: +.PD 0 +.IP ":set content-security-policy=default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'none'" +Webkit will see the `Content-Security-Policy' header defined with each response. +.PD +.RE +.TP .B hint-timeout (int) Timeout before automatically following a non-unique numerical hint. To disable auto fire of hints, set this value to 0. diff --git a/src/main.c b/src/main.c index ed2d501..765b32b 100644 --- a/src/main.c +++ b/src/main.c @@ -92,6 +92,8 @@ void vb_download_internal(WebKitWebView *view, WebKitDownload *download, const c void vb_download_external(WebKitWebView *view, WebKitDownload *download, const char *file); static void download_progress_cp(WebKitDownload *download, GParamSpec *pspec); static void read_from_stdin(void); +static void contentsecuritypolicy_request_queued_cb(SoupSession *session, SoupMessage *msg, + gpointer data); /* functions */ #ifdef FEATURE_WGET_PROGRESS_BAR @@ -961,6 +963,8 @@ static void setup_signals() NULL ); + g_signal_connect(vb.session, "request-queued", G_CALLBACK(contentsecuritypolicy_request_queued_cb), NULL); + #ifdef FEATURE_NO_SCROLLBARS WebKitWebFrame *frame = webkit_web_view_get_main_frame(vb.gui.webview); g_signal_connect(G_OBJECT(frame), "scrollbars-policy-changed", G_CALLBACK(gtk_true), NULL); @@ -1490,6 +1494,18 @@ static void read_from_stdin(void) g_free(buf); } +static void contentsecuritypolicy_request_queued_cb(SoupSession *session, SoupMessage *msg, + gpointer data) +{ + if (!vb.config.contentsecuritypolicy || g_str_equal("", vb.config.contentsecuritypolicy)) { + soup_message_headers_remove(msg->response_headers, "Content-Security-Policy"); + + } else { + soup_message_headers_replace(msg->response_headers, "Content-Security-Policy", + vb.config.contentsecuritypolicy); + } +} + static gboolean autocmdOptionArgFunc(const gchar *option_name, const gchar *value, gpointer data, GError **error) { vb.config.cmdargs = g_slist_append(vb.config.cmdargs, g_strdup(value)); diff --git a/src/main.h b/src/main.h index 60e46b7..ab0dbf6 100644 --- a/src/main.h +++ b/src/main.h @@ -317,6 +317,7 @@ typedef struct { guint timeoutlen; /* timeout for ambiguous mappings */ gboolean strict_focus; GHashTable *headers; /* holds user defined header appended to requests */ + char *contentsecuritypolicy; /* holds user defined Content-Security-Policy */ char *nextpattern; /* regex patter nfor prev link matching */ char *prevpattern; /* regex patter nfor next link matching */ char *file; /* path to the custome config file */ diff --git a/src/setting.c b/src/setting.c index bcb07ff..ecb13a3 100644 --- a/src/setting.c +++ b/src/setting.c @@ -203,6 +203,7 @@ void setting_init() setting_add("history-max-items", TYPE_INTEGER, &i, internal, 0, &vb.config.history_max); setting_add("editor-command", TYPE_CHAR, &"x-terminal-emulator -e -vi '%s'", NULL, 0, NULL); setting_add("header", TYPE_CHAR, &"", headers, FLAG_LIST|FLAG_NODUP, NULL); + setting_add("content-security-policy", TYPE_CHAR, &"", internal, 0, &vb.config.contentsecuritypolicy); setting_add("nextpattern", TYPE_CHAR, &"/\\bnext\\b/i,/^(>\\|>>\\|»)$/,/^(>\\|>>\\|»)/,/(>\\|>>\\|»)$/,/\\bmore\\b/i", prevnext, FLAG_LIST|FLAG_NODUP, NULL); setting_add("previouspattern", TYPE_CHAR, &"/\\bprev\\|previous\\b/i,/^(<\\|<<\\|«)$/,/^(<\\|<<\\|«)/,/(<\\|<<\\|«)$/", prevnext, FLAG_LIST|FLAG_NODUP, NULL); setting_add("fullscreen", TYPE_BOOLEAN, &off, fullscreen, 0, NULL); -- 2.20.1