1.6.5 Start handling CSP without removing it

Listeners.js

@@ -228,7 +228,7 @@ class Listeners {
     }
 
   }
-  static async editBeforeData(details) {
+  static editBeforeData(details) {
     if (details.tabId == -1 && uDark.connected_options_ports_count || uDark.connected_cs_ports["port-from-popup-" + details.tabId]) { // -1 Happens sometimes, like on https://www.youtube.com/ at the time i write this, stackoverflow talks about worker threads
 
       // Here we are covering the needs of the option page: Be able to frame any page

background.js

@@ -998,10 +998,7 @@ class uDarkC extends uDarkExtended {
       };
       return strO;
     }
-    if(!details)
-    {
-      // return strO;
-    }
+
 
     // Protection of imports
     // Unfortunately, this could lead to a reparation of a broken css if the chunking splits the @import in two parts
@@ -1460,18 +1457,23 @@ class uDarkC extends uDarkExtended {
       let h_var = actions.h_var? `var(${actions.h_var})` : "h";
       return `hsl(from ${color} ${h_var} s ${l_var} / alpha)`
     }
+    edit_fastValue0( value, actions, cssRule) {
+      if(actions.js_static_transform){
+        if(!value.includes("var(")){
+          return uDark.eget_color(value, actions.js_static_transform, cssRule, true, true);
+        }
+      }
+      return uDark.wrapIntoColor(value, actions);
+
+    }
     edit_with_regex(key, value, regex, actions, cssRule) {
       return value.replaceAll(regex, (match) => {
-        if(actions.js_static_transform){
-          if(!value.includes("var(")){
-            return uDark.eget_color(match, actions.js_static_transform, cssRule, true, true);
-          }
-        }
-        return uDark.wrapIntoColor(match, actions);
+        return uDark.edit_fastValue0(match, actions, cssRule);
       });
     }
 
     edit_all_cssRule_colors_cb(cssRule, key, value, options, actions) {
+
       // 0. Return the original value if it's not a string
       if(!(value instanceof String || typeof value === "string")){
         return value;
@@ -1484,7 +1486,7 @@ class uDarkC extends uDarkExtended {
       }
       let cssStyle = cssRule.style;
       if (actions.fastValue0) {
-        let wrapped=uDark.wrapIntoColor(value,actions);
+        let wrapped=uDark.edit_fastValue0(value, actions, cssRule);
         if(actions.no_edit || wrapped==value && !key_prefix){
           return wrapped;
         }
@@ -1493,7 +1495,7 @@ class uDarkC extends uDarkExtended {
       }
 
       let url_protected = uDark.str_protect(value, actions.raw_text ? uDark.regex_search_for_url_raw : uDark.regex_search_for_url, "url_protected");
-      
+
       // url_protected=value.protect(/DISABLED/,"url_protected");
       let new_value = url_protected.str;
 
@@ -1507,6 +1509,7 @@ class uDarkC extends uDarkExtended {
       new_value = uDark.edit_with_regex(key, new_value, uDark.namedColorsRegex, actions); // edit_named_colors
       new_value = uDark.edit_with_regex(key, new_value, uDark.hexadecimalColorsRegex, actions); // edit_hex_colors // The browser auto converts hex to rgb, but some times not like in  var(--123,#00ff00) as it cant resolve the var
       new_value = uDark.str_unprotect(new_value, url_protected);
+
       if (!actions.no_edit && value != new_value || key_prefix) {
         // Edit the value only if necessary:  setting bacground image removes bacground property for intance
         cssStyle.p_ud_setProperty(key_prefix + key, new_value, cssStyle.getPropertyPriority(key)); // Once we had  an infinite loop here when uDark was loaded twice and redefining setProperty.

backgroundClass.js

@@ -212,7 +212,7 @@ class uDarkExtended extends uDarkExtendedContentScript {
         this.logPrefix = "UD";
         fetch("manifest.json").then(x => x.json()).then(x => {
           uDark.production = x.browser_specific_settings.gecko.id;
-
+          
           if (uDark.production) {
             uDark.success( "Production mode", uDark.production);
             [console.log, console.warn, console.table, console.info] = Array(20).fill(z => {})
@@ -342,11 +342,44 @@ class uDarkExtended extends uDarkExtendedContentScript {
         details.charset=(details.charset ||["",defaultCharset])[1].toLowerCase();
       }
       headersDo = {
+        "content-security-policy-report-only": (x => { false }),
         "content-security-policy": (x => {
-          x.value = x.value.replace(/script-src/, "script-src *")
-          x.value = x.value.replace(/default-src/, "default-src *")
-          x.value = x.value.replace(/style-src/, "style-src *")
-          return false; // TODO: Review if false is the right value here
+          let csp = x.value.toLowerCase();
+          let cspArray = csp.split(/;|,/g).map(x => x.trim()); 
+          /* Quoted values are very defined and never contain a comma or a semicolon. No protection needed
+          Urls in CSP break on these characters, browser expects them to be url encoded, so we can't have them in the value
+          */
+          let cspObject = {};
+
+          cspArray.forEach(element => {
+            element = element.trim();
+            let spIndex = element.indexOf(" ");
+            let key = element.slice(0, spIndex);
+            let value = " ";
+            if (spIndex != -1) {
+              value = element.slice(spIndex + 1);
+            }
+            cspObject[key] = value;
+          });
+          let CSPBypass_map = {
+            "* 'unsafe-inline' 'unsafe-eval'": ["script-src", "default-src", "script-src-attr", "style-src-attr", "style-src"],
+            "* 'unsafe-inline'": ["script-src-elem"],
+            "delete": ["report-uri", "report-to","require-trusted-types-for"],
+          }
+          for(let [newCSPValue,cspDirectiveKeys] of Object.entries(CSPBypass_map)){
+            for(let cspDirective of cspDirectiveKeys){
+              if(cspObject[cspDirective]){
+                cspObject[cspDirective] = newCSPValue;
+              }
+              if(newCSPValue === "delete")
+                delete cspObject[cspDirective];
+              }
+          }
+          let newCSP = Object.entries(cspObject).map(([key, value]) => {
+            return `${key} ${value}`;
+          }).join("; ");
+          x.value = newCSP;
+          return true; // Return true to apply the change, false to remove the header. We must keep the header since a website can send x frame options, among CSP, and removing it would give priority to the x frame options
         }),
       }
       regiteredCS = []

manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 2,
   "name": "UltimaDark",
-  "version": "1.6.4",
+  "version": "1.6.5",
   "description": "The extension uses agressive techniques to get a dark mode everywhere on internet\nThis is still highly experimental so it can also ruin your internet experience",
   "homepage_url": "https://github.com/ThomazPom/Moz-Ext-UltimaDark",
   "icons": {

popup.html

@@ -36,6 +36,12 @@ <h1 class="welcome">UltimaDark <span class="version">1.5.2</span></h1>
 				<span  class="right title close_window"><span class="arrow-right close_window"></span>Rate & About</span>
 				<span class="left icon">⭐</span>
 			</a>
+		</div>
+			<div class="content content-centered">
+			<a href="https://addons.mozilla.org/fr/firefox/addon/ultimadark/versions/" class="btn left">
+				<span  class="right title close_window"><span class="arrow-right close_window"></span>Previous versions</span>
+				<span class="left icon">⏮️</span>
+			</a>
 		</div>
 		<span class="label">Exclude these websites</span>
 		<textarea class="listextarea" id="black_list"></textarea>