├── .editorconfig
├── .github
├── FUNDING.yml
└── workflows
│ ├── ci.js.yml
│ ├── nightly.js.yml
│ └── release.js.yml
├── .gitignore
├── LICENSE
├── README.md
├── background.html
├── background.js
├── hypothesis.js
├── icons
├── hypothesis-19.png
├── hypothesis-38.png
├── hypothesis-48.png
├── hypothesis-active-19.png
├── hypothesis-active-38.png
└── hypothesis.svg
├── manifest.json
├── package-lock.json
├── package.json
├── spec
├── addon.spec.js
└── csp.spec.js
└── src
├── csp
├── parser.js
├── patcher.js
└── unparser.js
└── functions.js
/.editorconfig:
--------------------------------------------------------------------------------
1 | root = true
2 |
3 | [*]
4 | trim_trailing_whitespace = true
5 |
6 | [*.js]
7 | indent_size = 4
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | ko_fi: abdillah
4 |
--------------------------------------------------------------------------------
/.github/workflows/ci.js.yml:
--------------------------------------------------------------------------------
1 | # This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
3 |
4 | name: Continuous Integration
5 |
6 | on:
7 | push:
8 | branches: [ master ]
9 | pull_request:
10 | branches: [ master ]
11 |
12 | jobs:
13 | build:
14 | runs-on: ubuntu-latest
15 |
16 | strategy:
17 | matrix:
18 | node-version: [12.x, 14.x]
19 |
20 | steps:
21 | - uses: actions/checkout@v2
22 | - name: Use Node.js ${{ matrix.node-version }}
23 | uses: actions/setup-node@v1
24 | with:
25 | node-version: ${{ matrix.node-version }}
26 |
27 | - name: Set BUILD_VERSION
28 | run: echo "BUILD_VERSION="$(npm run --silent version) >> $GITHUB_ENV
29 |
30 | - run: npm ci
31 | - run: npm test
32 | - run: npm run build --if-present
33 | - name: Upload CI build
34 | uses: actions/upload-artifact@v2
35 | with:
36 | name: hypothes.is_bookmarklet-${{ env.BUILD_VERSION }}.zip
37 | path: web-ext-artifacts/hypothes.is_bookmarklet-${{ env.BUILD_VERSION }}.zip
38 |
--------------------------------------------------------------------------------
/.github/workflows/nightly.js.yml:
--------------------------------------------------------------------------------
1 | # This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
3 |
4 | name: Nightly build
5 |
6 | on:
7 | schedule:
8 | - cron: '0 0 * * 0'
9 |
10 | jobs:
11 | sign:
12 | runs-on: ubuntu-latest
13 |
14 | env:
15 | AMO_ISSUER: ${{ secrets.AMO_ISSUER }}
16 | AMO_SECRET: ${{ secrets.AMO_SECRET }}
17 | AMO_ID: ${{ secrets.AMO_ID }}
18 |
19 | steps:
20 | - uses: actions/checkout@v2
21 | - name: Use Node.js ${{ matrix.node-version }}
22 | uses: actions/setup-node@v1
23 | with:
24 | node-version: 14.x
25 | - name: Dump GitHub context
26 | env:
27 | GITHUB_CONTEXT: ${{ toJson(github) }}
28 | run: echo "$GITHUB_CONTEXT"
29 |
30 | - name: Set BUILD_VERSION
31 | run: echo "BUILD_VERSION="$(npm run --silent version) >> $GITHUB_ENV
32 | - name: Set BUILD_ID
33 | run: echo "BUILD_ID=.0nightly"$(git rev-parse HEAD | tr -d -c 0-9 | cut -c 1-4)${{ github.run_id }}$(( ( RANDOM % 100 ) )) >> $GITHUB_ENV
34 |
35 | - run: npm run version
36 | - run: npm ci
37 | - run: npm test
38 | - run: npm run sign --if-present
39 | - name: Upload nightly build
40 | uses: actions/upload-artifact@v2
41 | with:
42 | name: hypothes.is_bookmarklet_nightly-${{ env.BUILD_VERSION }}${{ env.BUILD_ID }}.xpi
43 | path: web-ext-artifacts/hypothesis_bookmarklet_nightly-${{ env.BUILD_VERSION }}${{ env.BUILD_ID }}-an+fx.xpi
44 |
--------------------------------------------------------------------------------
/.github/workflows/release.js.yml:
--------------------------------------------------------------------------------
1 | # This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
3 |
4 | name: Release build
5 |
6 | on:
7 | release:
8 | types:
9 | - created
10 |
11 | jobs:
12 | sign:
13 | runs-on: ubuntu-latest
14 |
15 | env:
16 | AMO_ISSUER: ${{ secrets.AMO_ISSUER }}
17 | AMO_SECRET: ${{ secrets.AMO_SECRET }}
18 | AMO_ID: ${{ secrets.AMO_ID }}
19 |
20 | steps:
21 | - uses: actions/checkout@v2
22 | - name: Use Node.js ${{ matrix.node-version }}
23 | uses: actions/setup-node@v1
24 | with:
25 | node-version: 14.x
26 | - name: Dump GitHub context
27 | env:
28 | GITHUB_CONTEXT: ${{ toJson(github) }}
29 | run: echo "$GITHUB_CONTEXT"
30 |
31 | - name: Set BUILD_VERSION
32 | run: echo "BUILD_VERSION="$(npm run --silent version) >> $GITHUB_ENV
33 | - name: Set BUILD_ID
34 | run: echo "BUILD_ID=.0autobuild" >> $GITHUB_ENV
35 |
36 | - run: npm run version
37 | - run: npm ci
38 | - run: npm test
39 | - run: npm run sign --if-present
40 | - name: Upload release auto-build
41 | uses: actions/upload-artifact@v2
42 | with:
43 | name: hypothes.is_bookmarklet_autobuild-${{ env.BUILD_VERSION }}${{ env.BUILD_ID }}.xpi
44 | path: web-ext-artifacts/hypothesis_bookmarklet_nightly-${{ env.BUILD_VERSION }}${{ env.BUILD_ID }}-an+fx.xpi
45 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .web-extension-id
2 | node_modules
3 | web-ext-artifacts/
4 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Mozilla Public License Version 2.0
2 | ==================================
3 |
4 | 1. Definitions
5 | --------------
6 |
7 | 1.1. "Contributor"
8 | means each individual or legal entity that creates, contributes to
9 | the creation of, or owns Covered Software.
10 |
11 | 1.2. "Contributor Version"
12 | means the combination of the Contributions of others (if any) used
13 | by a Contributor and that particular Contributor's Contribution.
14 |
15 | 1.3. "Contribution"
16 | means Covered Software of a particular Contributor.
17 |
18 | 1.4. "Covered Software"
19 | means Source Code Form to which the initial Contributor has attached
20 | the notice in Exhibit A, the Executable Form of such Source Code
21 | Form, and Modifications of such Source Code Form, in each case
22 | including portions thereof.
23 |
24 | 1.5. "Incompatible With Secondary Licenses"
25 | means
26 |
27 | (a) that the initial Contributor has attached the notice described
28 | in Exhibit B to the Covered Software; or
29 |
30 | (b) that the Covered Software was made available under the terms of
31 | version 1.1 or earlier of the License, but not also under the
32 | terms of a Secondary License.
33 |
34 | 1.6. "Executable Form"
35 | means any form of the work other than Source Code Form.
36 |
37 | 1.7. "Larger Work"
38 | means a work that combines Covered Software with other material, in
39 | a separate file or files, that is not Covered Software.
40 |
41 | 1.8. "License"
42 | means this document.
43 |
44 | 1.9. "Licensable"
45 | means having the right to grant, to the maximum extent possible,
46 | whether at the time of the initial grant or subsequently, any and
47 | all of the rights conveyed by this License.
48 |
49 | 1.10. "Modifications"
50 | means any of the following:
51 |
52 | (a) any file in Source Code Form that results from an addition to,
53 | deletion from, or modification of the contents of Covered
54 | Software; or
55 |
56 | (b) any new file in Source Code Form that contains any Covered
57 | Software.
58 |
59 | 1.11. "Patent Claims" of a Contributor
60 | means any patent claim(s), including without limitation, method,
61 | process, and apparatus claims, in any patent Licensable by such
62 | Contributor that would be infringed, but for the grant of the
63 | License, by the making, using, selling, offering for sale, having
64 | made, import, or transfer of either its Contributions or its
65 | Contributor Version.
66 |
67 | 1.12. "Secondary License"
68 | means either the GNU General Public License, Version 2.0, the GNU
69 | Lesser General Public License, Version 2.1, the GNU Affero General
70 | Public License, Version 3.0, or any later versions of those
71 | licenses.
72 |
73 | 1.13. "Source Code Form"
74 | means the form of the work preferred for making modifications.
75 |
76 | 1.14. "You" (or "Your")
77 | means an individual or a legal entity exercising rights under this
78 | License. For legal entities, "You" includes any entity that
79 | controls, is controlled by, or is under common control with You. For
80 | purposes of this definition, "control" means (a) the power, direct
81 | or indirect, to cause the direction or management of such entity,
82 | whether by contract or otherwise, or (b) ownership of more than
83 | fifty percent (50%) of the outstanding shares or beneficial
84 | ownership of such entity.
85 |
86 | 2. License Grants and Conditions
87 | --------------------------------
88 |
89 | 2.1. Grants
90 |
91 | Each Contributor hereby grants You a world-wide, royalty-free,
92 | non-exclusive license:
93 |
94 | (a) under intellectual property rights (other than patent or trademark)
95 | Licensable by such Contributor to use, reproduce, make available,
96 | modify, display, perform, distribute, and otherwise exploit its
97 | Contributions, either on an unmodified basis, with Modifications, or
98 | as part of a Larger Work; and
99 |
100 | (b) under Patent Claims of such Contributor to make, use, sell, offer
101 | for sale, have made, import, and otherwise transfer either its
102 | Contributions or its Contributor Version.
103 |
104 | 2.2. Effective Date
105 |
106 | The licenses granted in Section 2.1 with respect to any Contribution
107 | become effective for each Contribution on the date the Contributor first
108 | distributes such Contribution.
109 |
110 | 2.3. Limitations on Grant Scope
111 |
112 | The licenses granted in this Section 2 are the only rights granted under
113 | this License. No additional rights or licenses will be implied from the
114 | distribution or licensing of Covered Software under this License.
115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a
116 | Contributor:
117 |
118 | (a) for any code that a Contributor has removed from Covered Software;
119 | or
120 |
121 | (b) for infringements caused by: (i) Your and any other third party's
122 | modifications of Covered Software, or (ii) the combination of its
123 | Contributions with other software (except as part of its Contributor
124 | Version); or
125 |
126 | (c) under Patent Claims infringed by Covered Software in the absence of
127 | its Contributions.
128 |
129 | This License does not grant any rights in the trademarks, service marks,
130 | or logos of any Contributor (except as may be necessary to comply with
131 | the notice requirements in Section 3.4).
132 |
133 | 2.4. Subsequent Licenses
134 |
135 | No Contributor makes additional grants as a result of Your choice to
136 | distribute the Covered Software under a subsequent version of this
137 | License (see Section 10.2) or under the terms of a Secondary License (if
138 | permitted under the terms of Section 3.3).
139 |
140 | 2.5. Representation
141 |
142 | Each Contributor represents that the Contributor believes its
143 | Contributions are its original creation(s) or it has sufficient rights
144 | to grant the rights to its Contributions conveyed by this License.
145 |
146 | 2.6. Fair Use
147 |
148 | This License is not intended to limit any rights You have under
149 | applicable copyright doctrines of fair use, fair dealing, or other
150 | equivalents.
151 |
152 | 2.7. Conditions
153 |
154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
155 | in Section 2.1.
156 |
157 | 3. Responsibilities
158 | -------------------
159 |
160 | 3.1. Distribution of Source Form
161 |
162 | All distribution of Covered Software in Source Code Form, including any
163 | Modifications that You create or to which You contribute, must be under
164 | the terms of this License. You must inform recipients that the Source
165 | Code Form of the Covered Software is governed by the terms of this
166 | License, and how they can obtain a copy of this License. You may not
167 | attempt to alter or restrict the recipients' rights in the Source Code
168 | Form.
169 |
170 | 3.2. Distribution of Executable Form
171 |
172 | If You distribute Covered Software in Executable Form then:
173 |
174 | (a) such Covered Software must also be made available in Source Code
175 | Form, as described in Section 3.1, and You must inform recipients of
176 | the Executable Form how they can obtain a copy of such Source Code
177 | Form by reasonable means in a timely manner, at a charge no more
178 | than the cost of distribution to the recipient; and
179 |
180 | (b) You may distribute such Executable Form under the terms of this
181 | License, or sublicense it under different terms, provided that the
182 | license for the Executable Form does not attempt to limit or alter
183 | the recipients' rights in the Source Code Form under this License.
184 |
185 | 3.3. Distribution of a Larger Work
186 |
187 | You may create and distribute a Larger Work under terms of Your choice,
188 | provided that You also comply with the requirements of this License for
189 | the Covered Software. If the Larger Work is a combination of Covered
190 | Software with a work governed by one or more Secondary Licenses, and the
191 | Covered Software is not Incompatible With Secondary Licenses, this
192 | License permits You to additionally distribute such Covered Software
193 | under the terms of such Secondary License(s), so that the recipient of
194 | the Larger Work may, at their option, further distribute the Covered
195 | Software under the terms of either this License or such Secondary
196 | License(s).
197 |
198 | 3.4. Notices
199 |
200 | You may not remove or alter the substance of any license notices
201 | (including copyright notices, patent notices, disclaimers of warranty,
202 | or limitations of liability) contained within the Source Code Form of
203 | the Covered Software, except that You may alter any license notices to
204 | the extent required to remedy known factual inaccuracies.
205 |
206 | 3.5. Application of Additional Terms
207 |
208 | You may choose to offer, and to charge a fee for, warranty, support,
209 | indemnity or liability obligations to one or more recipients of Covered
210 | Software. However, You may do so only on Your own behalf, and not on
211 | behalf of any Contributor. You must make it absolutely clear that any
212 | such warranty, support, indemnity, or liability obligation is offered by
213 | You alone, and You hereby agree to indemnify every Contributor for any
214 | liability incurred by such Contributor as a result of warranty, support,
215 | indemnity or liability terms You offer. You may include additional
216 | disclaimers of warranty and limitations of liability specific to any
217 | jurisdiction.
218 |
219 | 4. Inability to Comply Due to Statute or Regulation
220 | ---------------------------------------------------
221 |
222 | If it is impossible for You to comply with any of the terms of this
223 | License with respect to some or all of the Covered Software due to
224 | statute, judicial order, or regulation then You must: (a) comply with
225 | the terms of this License to the maximum extent possible; and (b)
226 | describe the limitations and the code they affect. Such description must
227 | be placed in a text file included with all distributions of the Covered
228 | Software under this License. Except to the extent prohibited by statute
229 | or regulation, such description must be sufficiently detailed for a
230 | recipient of ordinary skill to be able to understand it.
231 |
232 | 5. Termination
233 | --------------
234 |
235 | 5.1. The rights granted under this License will terminate automatically
236 | if You fail to comply with any of its terms. However, if You become
237 | compliant, then the rights granted under this License from a particular
238 | Contributor are reinstated (a) provisionally, unless and until such
239 | Contributor explicitly and finally terminates Your grants, and (b) on an
240 | ongoing basis, if such Contributor fails to notify You of the
241 | non-compliance by some reasonable means prior to 60 days after You have
242 | come back into compliance. Moreover, Your grants from a particular
243 | Contributor are reinstated on an ongoing basis if such Contributor
244 | notifies You of the non-compliance by some reasonable means, this is the
245 | first time You have received notice of non-compliance with this License
246 | from such Contributor, and You become compliant prior to 30 days after
247 | Your receipt of the notice.
248 |
249 | 5.2. If You initiate litigation against any entity by asserting a patent
250 | infringement claim (excluding declaratory judgment actions,
251 | counter-claims, and cross-claims) alleging that a Contributor Version
252 | directly or indirectly infringes any patent, then the rights granted to
253 | You by any and all Contributors for the Covered Software under Section
254 | 2.1 of this License shall terminate.
255 |
256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all
257 | end user license agreements (excluding distributors and resellers) which
258 | have been validly granted by You or Your distributors under this License
259 | prior to termination shall survive termination.
260 |
261 | ************************************************************************
262 | * *
263 | * 6. Disclaimer of Warranty *
264 | * ------------------------- *
265 | * *
266 | * Covered Software is provided under this License on an "as is" *
267 | * basis, without warranty of any kind, either expressed, implied, or *
268 | * statutory, including, without limitation, warranties that the *
269 | * Covered Software is free of defects, merchantable, fit for a *
270 | * particular purpose or non-infringing. The entire risk as to the *
271 | * quality and performance of the Covered Software is with You. *
272 | * Should any Covered Software prove defective in any respect, You *
273 | * (not any Contributor) assume the cost of any necessary servicing, *
274 | * repair, or correction. This disclaimer of warranty constitutes an *
275 | * essential part of this License. No use of any Covered Software is *
276 | * authorized under this License except under this disclaimer. *
277 | * *
278 | ************************************************************************
279 |
280 | ************************************************************************
281 | * *
282 | * 7. Limitation of Liability *
283 | * -------------------------- *
284 | * *
285 | * Under no circumstances and under no legal theory, whether tort *
286 | * (including negligence), contract, or otherwise, shall any *
287 | * Contributor, or anyone who distributes Covered Software as *
288 | * permitted above, be liable to You for any direct, indirect, *
289 | * special, incidental, or consequential damages of any character *
290 | * including, without limitation, damages for lost profits, loss of *
291 | * goodwill, work stoppage, computer failure or malfunction, or any *
292 | * and all other commercial damages or losses, even if such party *
293 | * shall have been informed of the possibility of such damages. This *
294 | * limitation of liability shall not apply to liability for death or *
295 | * personal injury resulting from such party's negligence to the *
296 | * extent applicable law prohibits such limitation. Some *
297 | * jurisdictions do not allow the exclusion or limitation of *
298 | * incidental or consequential damages, so this exclusion and *
299 | * limitation may not apply to You. *
300 | * *
301 | ************************************************************************
302 |
303 | 8. Litigation
304 | -------------
305 |
306 | Any litigation relating to this License may be brought only in the
307 | courts of a jurisdiction where the defendant maintains its principal
308 | place of business and such litigation shall be governed by laws of that
309 | jurisdiction, without reference to its conflict-of-law provisions.
310 | Nothing in this Section shall prevent a party's ability to bring
311 | cross-claims or counter-claims.
312 |
313 | 9. Miscellaneous
314 | ----------------
315 |
316 | This License represents the complete agreement concerning the subject
317 | matter hereof. If any provision of this License is held to be
318 | unenforceable, such provision shall be reformed only to the extent
319 | necessary to make it enforceable. Any law or regulation which provides
320 | that the language of a contract shall be construed against the drafter
321 | shall not be used to construe this License against a Contributor.
322 |
323 | 10. Versions of the License
324 | ---------------------------
325 |
326 | 10.1. New Versions
327 |
328 | Mozilla Foundation is the license steward. Except as provided in Section
329 | 10.3, no one other than the license steward has the right to modify or
330 | publish new versions of this License. Each version will be given a
331 | distinguishing version number.
332 |
333 | 10.2. Effect of New Versions
334 |
335 | You may distribute the Covered Software under the terms of the version
336 | of the License under which You originally received the Covered Software,
337 | or under the terms of any subsequent version published by the license
338 | steward.
339 |
340 | 10.3. Modified Versions
341 |
342 | If you create software not governed by this License, and you want to
343 | create a new license for such software, you may create and use a
344 | modified version of this License if you rename the license and remove
345 | any references to the name of the license steward (except to note that
346 | such modified license differs from this License).
347 |
348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary
349 | Licenses
350 |
351 | If You choose to distribute Source Code Form that is Incompatible With
352 | Secondary Licenses under the terms of this version of the License, the
353 | notice described in Exhibit B of this License must be attached.
354 |
355 | Exhibit A - Source Code Form License Notice
356 | -------------------------------------------
357 |
358 | This Source Code Form is subject to the terms of the Mozilla Public
359 | License, v. 2.0. If a copy of the MPL was not distributed with this
360 | file, You can obtain one at http://mozilla.org/MPL/2.0/.
361 |
362 | If it is not possible or desirable to put the notice in a particular
363 | file, then You may include the notice in a location (such as a LICENSE
364 | file in a relevant directory) where a recipient would be likely to look
365 | for such a notice.
366 |
367 | You may add additional accurate notices of copyright ownership.
368 |
369 | Exhibit B - "Incompatible With Secondary Licenses" Notice
370 | ---------------------------------------------------------
371 |
372 | This Source Code Form is "Incompatible With Secondary Licenses", as
373 | defined by the Mozilla Public License, v. 2.0.
374 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Hypothes.is Bookmarklet
2 | Unofficial Hypothes.is addon for Firefox.
3 |
4 | 
5 | [](https://addons.mozilla.org/en-US/firefox/addon/hypothes-is-bookmarklet/)
6 | 
7 |
8 | ## What is This?
9 | Hypothes.is is Open Source web page annotation software that provide public and private annotation.
10 |
11 | Unfortunately, the long awaited Firefox plugin still in development and only bookmarklet provided. The bookmarklet has limitation regarding sites with strict Content-Security-Policy. Therefor, this addon allows bypassing Hypothes.is CDN to serve it's content on any sites.
12 |
13 | ## Usage
14 | Visit [Mozilla Firefox Addon page](https://addons.mozilla.org/en-US/firefox/addon/hypothes-is-bookmarklet/) then install the extension.
15 | You can also head to the [Releases](https://github.com/Abdillah/hypothesis-firefox/releases) section and download the latest XPI binary, it will auto install.
16 |
17 | To build yourself, see [this reference](https://extensionworkshop.com/documentation/develop/getting-started-with-web-ext/).
18 |
19 | ## Roadmap
20 | This plugin is usable already, but I plan to add more features.
21 |
22 | - URL whitelist / blacklist
23 | - Easy user interface
24 |
25 | ## Authors
26 | This project is authored and maintained by
27 |
28 | - [@Abdillah](https://github.com/Abdillah) – Hernawan Faïz Abdillah
29 |
30 | Along the respective [contributors](https://github.com/Abdillah/hypothesis-firefox/graph/contributors).
31 |
32 | ## Contribute
33 | Consider it useful? Join into the effort by [creating pull request](https://github.com/Abdillah/hypothesis-firefox/compare) or [raising issue](https://github.com/Abdillah/hypothesis-firefox/issues/new). You may also give support fund.
34 |
35 |
36 |
37 | If you wish to send through other ways, DM me on Twitter @fazbdillah.
38 |
39 | ## License
40 | This project is licensed under [MPLv2.0](./LICENSE).
41 |
42 | The artwork icon is Hypothes.is official logo therefor is owned by Hypothes.is team and respective contributors.
43 |
--------------------------------------------------------------------------------
/background.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/background.js:
--------------------------------------------------------------------------------
1 | import { patchCspForHypothesis } from './src/functions.js';
2 |
3 | async function sha256(message) {
4 | // encode as UTF-8
5 | const msgBuffer = new TextEncoder('utf-8').encode(message);
6 |
7 | // hash the message
8 | const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
9 |
10 | // convert ArrayBuffer to Array
11 | const hashArray = Array.from(new Uint8Array(hashBuffer));
12 |
13 | // convert bytes to hex string
14 | const hashHex = hashArray.map(b => ('00' + b.toString(16)).slice(-2)).join('');
15 | return hashHex;
16 | }
17 |
18 | async function onHeaderPassed(details) {
19 | // Filter out non top-level response URL
20 | if (details.url.length <= 0 || typeof details.documentUrl !== 'undefined') {
21 | return {};
22 | }
23 |
24 | let cspIdx = details.responseHeaders
25 | .findIndex(function (headeritem) {
26 | return headeritem.name.toLowerCase() == "content-security-policy"
27 | && (headeritem.value.indexOf('default-src ') !== -1 || headeritem.value.indexOf('script-src ') !== -1)
28 | ;
29 | });
30 | if (cspIdx != -1) {
31 | var results = await browser.storage.local.get('hypothesisHash');
32 | var csp = details.responseHeaders[cspIdx];
33 | details.responseHeaders[cspIdx].value = patchCspForHypothesis(csp.value);
34 | }
35 |
36 | return {
37 | responseHeaders: details.responseHeaders
38 | };
39 | }
40 |
41 | async function onPageActionClicked() {
42 | var config = await browser.storage.local.get('activeSites');
43 | var isEnabled = (config.activeSites && config.activeSites[currentTab.url]) || false;
44 | toggleHypothesis(!isEnabled);
45 | }
46 |
47 | async function togglePgActionIcon(toActive) {
48 | if (!toActive) {
49 | // Mark as disabled
50 | browser.pageAction.setIcon({
51 | tabId: currentTab.id,
52 | path: {
53 | 19: "icons/hypothesis-19.png",
54 | 38: "icons/hypothesis-38.png",
55 | }
56 | });
57 | browser.pageAction.setTitle({
58 | tabId: currentTab.id,
59 | title: "Show Hypothes.is",
60 | });
61 | } else {
62 | // Mark as active
63 | browser.pageAction.setIcon({
64 | tabId: currentTab.id,
65 | path: {
66 | 19: "icons/hypothesis-active-19.png",
67 | 38: "icons/hypothesis-active-38.png",
68 | }
69 | });
70 | browser.pageAction.setTitle({
71 | tabId: currentTab.id,
72 | title: "Hide Hypothes.is",
73 | });
74 | }
75 | }
76 |
77 | async function syncTabHypothesis() {
78 | var config = await browser.storage.local.get('activeSites');
79 | var isEnabled = (config.activeSites && config.activeSites[currentTab.url]) || false;
80 |
81 | // Setup icon
82 | togglePgActionIcon(isEnabled);
83 |
84 | // Reapply command
85 | var command = isEnabled ? "hypothesis.enable()" : "hypothesis.disable()"
86 | await browser.tabs.executeScript(currentTab.id, {
87 | code: command,
88 | });
89 | }
90 |
91 | async function toggleHypothesis(toActive) {
92 | // Save toggle
93 | var config = await browser.storage.local.get('activeSites');
94 | if (typeof config.activeSites === 'undefined') {
95 | config.activeSites = {};
96 | }
97 | config.activeSites[currentTab.url] = toActive;
98 | await browser.storage.local.set({
99 | activeSites: config['activeSites']
100 | });
101 |
102 | await syncTabHypothesis();
103 | return toActive;
104 | }
105 |
106 | async function setupPageAction() {
107 | browser.pageAction.show(currentTab.id);
108 | await syncTabHypothesis();
109 | }
110 |
111 | /*
112 | * Switches currentTab and currentBookmark to reflect the currently active tab
113 | */
114 | function updateActiveTab() {
115 | function updateTab(tabs) {
116 | if (tabs[0]) {
117 | currentTab = tabs[0];
118 | }
119 | }
120 |
121 | var gettingActiveTab = browser.tabs.query({ active: true, currentWindow: true });
122 | return gettingActiveTab
123 | .then(updateTab)
124 | .then(setupPageAction);
125 | }
126 |
127 | /** ----------------- *
128 | * Event Listeners
129 | * ----------------- */
130 |
131 | // listen to tab URL changes
132 | browser.tabs.onUpdated.addListener(updateActiveTab);
133 |
134 | // listen to tab switching
135 | browser.tabs.onActivated.addListener(updateActiveTab);
136 |
137 | // listen for window switching
138 | browser.windows.onFocusChanged.addListener(updateActiveTab);
139 |
140 | // listen for page action toggled
141 | browser.pageAction.onClicked.addListener(onPageActionClicked);
142 |
143 | /* ----- *
144 | * Main
145 | * ----- */
146 |
147 | var currentTab;
148 |
149 | // Setting up CSP
150 | fetch('https://hypothes.is/embed.js')
151 | .then(response => response.text())
152 | .then(async function (script) {
153 | var hypothesisHash = await sha256(script);
154 | browser.storage.local.set({ hypothesisHash: hypothesisHash });
155 |
156 | browser.webRequest.onHeadersReceived.addListener(
157 | onHeaderPassed,
158 | { urls: [ "" ] },
159 | [ "blocking", "responseHeaders" ]
160 | );
161 | });
162 |
163 | // update when the extension loads initially
164 | updateActiveTab()
165 | .then(setupPageAction)
166 | .then(function () {
167 | syncTabHypothesis();
168 | });
169 |
--------------------------------------------------------------------------------
/hypothesis.js:
--------------------------------------------------------------------------------
1 | var hypothesis;
2 |
3 | (async function() {
4 | if (window.document.querySelector('hypothesis-sidebar')) {
5 | var config = await browser.storage.local.get('activeSites');
6 | if (typeof config.activeSites === 'undefined') {
7 | config.activeSites = {};
8 | }
9 | config.activeSites[window.location.href] = true;
10 | await browser.storage.local.set({
11 | activeSites: config.activeSites
12 | });
13 | }
14 |
15 | hypothesis = {
16 | enable: async function () {
17 | if (window.document.querySelector('hypothesis-sidebar')) {
18 | window.document.querySelector('hypothesis-sidebar').style.opacity = 1;
19 | window.document.querySelector('hypothesis-adder').style.opacity = 1;
20 | return;
21 | }
22 |
23 | // Initial config
24 | var hypothesisConfig = {
25 | openSidebar: false,
26 | showHighlights: true,
27 | appType: 'bookmarklet'
28 | };
29 |
30 | var results = await browser.storage.local.get('hypothesisHash');
31 | var d = window.document;
32 |
33 | var c = d.createElement('script');
34 | c.setAttribute('type', 'application/javascript');
35 | c.setAttribute('nonce', 'w9s09t');
36 | c.textContent = `window.hypothesisConfig = function () {
37 | return ${JSON.stringify(hypothesisConfig)};
38 | };`;
39 | d.body.appendChild(c);
40 |
41 | var s = d.createElement('script');
42 | s.setAttribute('src', 'https://hypothes.is/embed.js');
43 | s.setAttribute('hash', results['hypothesisHash']);
44 | d.body.appendChild(s);
45 | },
46 |
47 | disable: function () {
48 | if (window.document.querySelector('hypothesis-sidebar')) {
49 | window.document.querySelector('hypothesis-adder').style.opacity = 0;
50 | window.document.querySelector('hypothesis-sidebar').style.opacity = 0;
51 | }
52 | },
53 | };
54 | })();
55 |
--------------------------------------------------------------------------------
/icons/hypothesis-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Abdillah/hypothesis-firefox/8642897853c7eb286d71c2599785711348d66720/icons/hypothesis-19.png
--------------------------------------------------------------------------------
/icons/hypothesis-38.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Abdillah/hypothesis-firefox/8642897853c7eb286d71c2599785711348d66720/icons/hypothesis-38.png
--------------------------------------------------------------------------------
/icons/hypothesis-48.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Abdillah/hypothesis-firefox/8642897853c7eb286d71c2599785711348d66720/icons/hypothesis-48.png
--------------------------------------------------------------------------------
/icons/hypothesis-active-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Abdillah/hypothesis-firefox/8642897853c7eb286d71c2599785711348d66720/icons/hypothesis-active-19.png
--------------------------------------------------------------------------------
/icons/hypothesis-active-38.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Abdillah/hypothesis-firefox/8642897853c7eb286d71c2599785711348d66720/icons/hypothesis-active-38.png
--------------------------------------------------------------------------------
/icons/hypothesis.svg:
--------------------------------------------------------------------------------
1 |
2 |
72 |
--------------------------------------------------------------------------------
/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 |
3 | "description": "Unofficial. Serve Hypothes.is on any sites even under CSP.",
4 | "manifest_version": 2,
5 | "name": "Hypothes.is bookmarklet",
6 | "version": "1.1.3",
7 | "homepage_url": "https://github.com/Abdillah/hypothesis-firefox",
8 | "icons": {
9 | "48": "icons/hypothesis-48.png"
10 | },
11 |
12 | "permissions": [
13 | "tabs",
14 | "activeTab",
15 | "storage",
16 | "webRequest",
17 | "webRequestBlocking",
18 | ""
19 | ],
20 |
21 | "background": {
22 | "page": "background.html"
23 | },
24 |
25 | "page_action": {
26 | "browser_style": true,
27 | "default_icon": {
28 | "19": "icons/hypothesis-19.png",
29 | "38": "icons/hypothesis-38.png"
30 | },
31 | "default_title": "Show Hypothes.is",
32 | "pinned": true
33 | },
34 |
35 | "content_scripts": [
36 | {
37 | "matches": [ "" ],
38 | "js": [ "hypothesis.js" ],
39 | "run_at": "document_end"
40 | }
41 | ]
42 | }
43 |
--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "type": "module",
3 | "scripts": {
4 | "version": "echo $(cat manifest.json | grep '\"version\"' | sed -E 's/.*\"version\":\\ \"([^\\\"]+)\".*/\\1/g')$BUILD_ID",
5 | "build": "web-ext build",
6 | "pre-sign": "sed -i -E \"s@(\\\"version\\\":\\ *\\\")[0-9\\.]+\\\"@\\1$(npm run --silent version)\\\"@g\" manifest.json",
7 | "sign": "npm run pre-sign; web-ext sign --api-key $AMO_ISSUER --api-secret $AMO_SECRET --id $AMO_ID",
8 | "test": "mocha spec"
9 | },
10 | "devDependencies": {
11 | "mocha": "^10.2.0",
12 | "web-ext": "^6.8.0"
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/spec/addon.spec.js:
--------------------------------------------------------------------------------
1 | import * as Assert from 'assert';
2 | import { patchCspForHypothesis } from '../src/functions.js';
3 |
4 | describe('Hypothes.is Content Security Policy (CSP) Bypass', function () {
5 | describe('Real World CSP Patching', function () {
6 | it('should add host to duckduckgo.com', function () {
7 | var csp = "content-security-policy: default-src 'none' ; connect-src https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; manifest-src https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; media-src https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; script-src blob: https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ 'unsafe-inline' 'unsafe-eval' ; font-src data: https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; img-src data: https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; style-src https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ 'unsafe-inline' ; object-src 'none' ; worker-src blob: ; child-src blob: https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; frame-src blob: https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ ; form-action https://duckduckgo.com https://*.duckduckgo.com https://3g2upl4pq6kufc4m.onion/ https://duck.co ; frame-ancestors 'self' ; base-uri 'self' ; block-all-mixed-content ;";
8 | var patchedCsp = patchCspForHypothesis(csp);
9 |
10 | // No empty entries
11 | Assert.ok(patchedCsp.indexOf(' ') === -1);
12 | });
13 |
14 | it('should add host to github.com', function () {
15 | var csp = "content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js";
16 | var patchedCsp = patchCspForHypothesis(csp);
17 |
18 | // No empty entries
19 | Assert.ok(patchedCsp.indexOf(' ') === -1);
20 | })
21 |
22 | it('should add host to yerinalexey.srht.site', function () {
23 | var csp = "content-security-policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' data:; sandbox allow-forms allow-orientation-lock allow-pointer-lock allow-presentation allow-same-origin allow-scripts;";
24 | var patchedCsp = patchCspForHypothesis(csp);
25 |
26 | // No empty entries
27 | Assert.ok(patchedCsp.indexOf(' ') === -1);
28 | })
29 | })
30 | });
31 |
--------------------------------------------------------------------------------
/spec/csp.spec.js:
--------------------------------------------------------------------------------
1 | import * as Assert from 'assert';
2 | import { CspPatcher } from '../src/csp/patcher.js';
3 |
4 | import { parse } from '../src/csp/parser.js';
5 | import { unparse } from '../src/csp/unparser.js';
6 |
7 | describe('Content Security Policy (CSP) Parser / Unparser', function () {
8 | it('should retain none, self, unsafe-inline, etc', function () {
9 | var fixtures = [
10 | [
11 | "default-src 'none'; base-uri 'self'; connect-src 'self'",
12 | {
13 | 'default-src': [ "'none'" ],
14 | 'base-uri': [ "'self'" ],
15 | 'connect-src': [ "'self'" ],
16 | },
17 | ],
18 | ];
19 |
20 | for (var f of fixtures) {
21 | Assert.deepStrictEqual(parse(f[0]), f[1]);
22 | Assert.deepStrictEqual(unparse(f[1]), f[0]);
23 | }
24 | });
25 |
26 | it('should retain order due to the CSP priority nature', function () {
27 | var fixtures = [
28 | [
29 | "default-src 'none'; base-uri 'self' hypothes.is abc.xyz xifroon.space; connect-src 'self'",
30 | {
31 | 'default-src': [ "'none'" ],
32 | 'base-uri': [ "'self'", "hypothes.is", "abc.xyz", "xifroon.space" ],
33 | 'connect-src': [ "'self'" ],
34 | },
35 | ],
36 | ];
37 |
38 | for (var f of fixtures) {
39 | Assert.deepStrictEqual(parse(f[0]), f[1]);
40 | Assert.deepStrictEqual(unparse(f[1]), f[0]);
41 | }
42 | });
43 | });
44 |
45 |
46 | describe('Content Security Policy (CSP) Patcher', function () {
47 | const minimalcsp = "Content-Security-Policy: default-src 'none'; base-uri 'self';";
48 |
49 | describe('#addHost', function () {
50 | var test1;
51 | it('should add hypothes.is into minimal CSP', test1 = function () {
52 | Assert.strictEqual(
53 | 'Content-Security-Policy: ' + CspPatcher.create(minimalcsp).addHost('default-src', 'hypothes.is').toString(),
54 | "Content-Security-Policy: default-src hypothes.is 'none'; base-uri 'self';"
55 | );
56 | });
57 |
58 | it("should add hypothes.is before 'none'", function () {
59 | test1();
60 |
61 | const csp = "Content-Security-Policy: default-src 'none'; base-uri 'self' 'none';";
62 | Assert.strictEqual(
63 | 'Content-Security-Policy: ' + CspPatcher.create(csp).addHost('base-uri', 'hypothes.is').toString(),
64 | "Content-Security-Policy: default-src 'none'; base-uri 'self' hypothes.is 'none';"
65 | );
66 | });
67 |
68 | it("should add hypothes.is after 'self'", function () {
69 | Assert.strictEqual(
70 | 'Content-Security-Policy: ' + CspPatcher.create(minimalcsp).addHost('base-uri', 'hypothes.is').toString(),
71 | "Content-Security-Policy: default-src 'none'; base-uri 'self' hypothes.is;"
72 | );
73 |
74 | const csp = "Content-Security-Policy: default-src 'none'; base-uri 'self' cdn.bootstrap.com;";
75 | Assert.strictEqual(
76 | 'Content-Security-Policy: ' + CspPatcher.create(csp).addHost('base-uri', 'hypothes.is').toString(),
77 | "Content-Security-Policy: default-src 'none'; base-uri 'self' hypothes.is cdn.bootstrap.com;"
78 | );
79 | });
80 |
81 | // it("should throws when 'nonce-*' and hash rule exists", function () {
82 | // const csp = "Content-Security-Policy: default-src 'none'; base-uri 'self'; script-src 'self' cdn.bootstrap.com 'sha256-edeaaff3f1774ad2888673770c6d64097e391bc362d7d6fb34982ddf0efd18cb';";
83 | // Assert.throws(function () {
84 | // return CspPatcher.create(csp).addHost('script-src', 'hypothes.is').toString();
85 | // });
86 | // });
87 | });
88 |
89 | describe('#hasHashRule and #hasNonceRule', function () {
90 | it('should not detect when no nonce/hash rule exist', function () {
91 | Assert.ok(false === CspPatcher.create(minimalcsp).hasNonceRule());
92 | Assert.ok(false === CspPatcher.create(minimalcsp).hasNonceRule('base-uri'));
93 | Assert.ok(false === CspPatcher.create(minimalcsp).hasHashRule());
94 | Assert.ok(false === CspPatcher.create(minimalcsp).hasHashRule('base-uri'));
95 | });
96 |
97 | it('should detect various nonce/hash type rule', function () {
98 | Assert.ok(true === CspPatcher.create("Content-Security-Policy: default-src 'none'; base-uri 'self' 'nonce-64097e3';").hasNonceRule());
99 | Assert.ok(true === CspPatcher.create("Content-Security-Policy: default-src 'none'; base-uri 'self' 'nonce-64097e3';").hasNonceRule('base-uri'));
100 | Assert.ok(true === CspPatcher.create("Content-Security-Policy: default-src 'none'; base-uri 'self' 'sha256-edeaaff3f1774ad2888673770c6d64097e391bc362d7d6fb34982ddf0efd18cb';").hasHashRule());
101 | Assert.ok(true === CspPatcher.create("Content-Security-Policy: default-src 'none'; base-uri 'self' 'sha256-edeaaff3f1774ad2888673770c6d64097e391bc362d7d6fb34982ddf0efd18cb';").hasHashRule('base-uri'));
102 | });
103 | });
104 | });
105 |
--------------------------------------------------------------------------------
/src/csp/parser.js:
--------------------------------------------------------------------------------
1 | function parseValueToArr(val) {
2 | // var definedtokens = [
3 | // "'self'", "'none'", "*",
4 | // ];
5 | return val.trim().split(' ').filter(o => o && o.length);
6 | };
7 |
8 | export function parse(cspstr) {
9 | // Remove header key
10 | if (cspstr.toLowerCase().indexOf('content-security-policy:') != -1) {
11 | cspstr = cspstr.slice(cspstr.indexOf(':') + 1, cspstr.length);
12 | }
13 | var o = cspstr.split(';').reduce((sum, section) => {
14 | var section = section.trim();
15 | var spacepos = section.trim().indexOf(' ');
16 | var key = section.substr(0, spacepos);
17 | var val = section.substr(spacepos + 1, section.length);
18 | if (key == '') {
19 | return sum
20 | }
21 |
22 | sum[key] = parseValueToArr(val);
23 | return sum;
24 | }, {});
25 |
26 | return o;
27 | }
28 |
--------------------------------------------------------------------------------
/src/csp/patcher.js:
--------------------------------------------------------------------------------
1 | import { parse } from './parser.js';
2 | import { unparse } from './unparser.js';
3 |
4 | class UnapplicablePatch extends Error {
5 | constructor(message) {
6 | super(message);
7 | this.message = message;
8 | }
9 | }
10 |
11 | export class CspPatcher {
12 | constructor(cspstr) {
13 | this.ocsp = parse(cspstr);
14 | }
15 |
16 | static create(cspstr) {
17 | return new CspPatcher(cspstr);
18 | }
19 |
20 | /**
21 | * Determine specific CSP rule e.g. script-src, sandbox
22 | */
23 | hasRule(directive) {
24 | return directive in this.ocsp;
25 | }
26 |
27 | /**
28 | * Detect hash rule exists in @param{part}
29 | */
30 | hasHashRule(directive) {
31 | if (typeof directive === 'undefined') {
32 | dirContents = Object.keys(this.ocsp).reduce((acc, key) => {
33 | acc = acc.concat(this.ocsp[key]);
34 | return acc;
35 | }, []);
36 | } else {
37 | var dirContents = this.ocsp[directive] || [];
38 | }
39 |
40 | return dirContents.filter(function (item) {
41 | var hashpat = "'(sha256|sha384|sha512)-([a-z0-9]+)'";
42 | var matched = item.match(new RegExp(hashpat));
43 | return matched && matched.length;
44 | }).length > 0;
45 | }
46 |
47 | /**
48 | * Detect hash rule exists in @param{part}
49 | */
50 | hasNonceRule(directive) {
51 | if (typeof directive === 'undefined') {
52 | dirContents = Object.keys(this.ocsp).reduce((acc, key) => {
53 | acc = acc.concat(this.ocsp[key]);
54 | return acc;
55 | }, []);
56 | } else {
57 | var dirContents = this.ocsp[directive] || [];
58 | }
59 |
60 | return dirContents.filter(function (item) {
61 | var noncepat = "'nonce-([a-z0-9]+)'";
62 | var matched = item.match(new RegExp(noncepat));
63 | return matched && matched.length;
64 | }).length > 0;
65 | }
66 |
67 | /**
68 | * Whitelist @param{host} on specific CSP @param{to} rule
69 | *
70 | * This script may tweak the resulting CSP as to allow this host
71 | * with minimal security hole implication.
72 | */
73 | addHost(to, host) {
74 | if ([ 'default-src', 'base-uri', 'frame-src', 'script-src', 'style-src' ].indexOf(to) == -1) {
75 | throw "CspPatcher#addHost 'to' only support one of 'frame-src', 'script-src', 'style-src'";
76 | }
77 |
78 | // Sanitize host
79 | host = host.replace(';', '').trim();
80 |
81 | var dest = this.ocsp[to];
82 | if (typeof dest === 'undefined') {
83 | // No modification because we don't need to
84 | return this;
85 | }
86 |
87 | // Check for 'self'
88 | var hasAdded = (dest.indexOf(host) !== -1);
89 | var iself = 0;
90 | if (!hasAdded && (iself = dest.indexOf("'self'")) !== -1) {
91 | dest.splice(iself + 1, 0, host)
92 | } else if (!hasAdded) {
93 | dest.unshift(host)
94 | }
95 | this.ocsp[to] = dest;
96 |
97 | return new CspPatcher(unparse(this.ocsp));
98 | }
99 |
100 | // addUrl(to, url) {}
101 |
102 | // addHash(to, hash) {}
103 |
104 | toString() {
105 | return unparse(this.ocsp).trimEnd(';') + ';';
106 | }
107 | }
108 |
--------------------------------------------------------------------------------
/src/csp/unparser.js:
--------------------------------------------------------------------------------
1 | function parseValueToArr(val) {
2 | // var definedtokens = [
3 | // "'self'", "'none'", "*",
4 | // ];
5 | return val.trim().split(' ');
6 | };
7 |
8 | export function unparse(ocsp) {
9 | var csparr = [];
10 | for (var k in ocsp) {
11 | csparr.push([ k ].concat(ocsp[k].join(' ')).join(' '));
12 | }
13 | return csparr.join('; ');
14 | }
15 |
--------------------------------------------------------------------------------
/src/functions.js:
--------------------------------------------------------------------------------
1 | import { CspPatcher } from './csp/patcher.js';
2 |
3 | export function patchCspForHypothesis(cspstr) {
4 | var patcher = CspPatcher.create(cspstr);
5 | patcher = patcher
6 | .addHost('default-src', "https://hypothes.is")
7 | .addHost('frame-src', "https://hypothes.is")
8 | .addHost('script-src', "https://cdn.hypothes.is")
9 | .addHost('style-src', "https://cdn.hypothes.is")
10 | .addHost('style-src', "'unsafe-inline'")
11 | ;
12 |
13 | // When only default-src available, we must add CDN URL to it
14 | if (!patcher.hasRule('script-src') || !patcher.hasRule('style-src')) {
15 | patcher = patcher
16 | .addHost('default-src', "https://cdn.hypothes.is")
17 | }
18 |
19 | if (patcher.hasHashRule('script-src') || patcher.hasNonceRule('script-src')) {
20 | patcher = patcher
21 | // Hash of inline hypothesisConfig textContent
22 | .addHost('script-src', "'nonce-w9s09t'")
23 | .addHost('script-src', `'sha256-${results['hypothesisHash']}'`)
24 | }
25 |
26 | return patcher.toString();
27 | }
28 |
--------------------------------------------------------------------------------
