Fix potential exfiltration of browsing history by a rogue list author…

… through `csp=` As reported internally to ubo-security by https://github.com/distinctmondaylila One issue is a regression from the rewriting of the static filtering parser in version 1.47.0, specifically the following commit: 8ea3b0f64c The existing regex was no longer suitable to properly detect some usage of `report-xxx` in the rwritten parser. Another issue which predates 1.47.0 is that the regex used for validation was case-sensititive, while the `report-uri` directive can be written using uppercase letters, i.e. `Report-uri`.
gorhill · Feb 13, 2024 · db5656f · db5656f · gorhill · Feb 14, 2024
1 parent 2705059
commit db5656f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/js/static-filtering-parser.js b/src/js/static-filtering-parser.js
@@ -896,7 +896,7 @@ export class AstFilterParser {
         this.reResponseheaderPattern = /^\^responseheader\(.*\)$/;
         this.rePatternScriptletJsonArgs = /^\{.*\}$/;
         this.reGoodRegexToken = /[^\x01%0-9A-Za-z][%0-9A-Za-z]{7,}|[^\x01%0-9A-Za-z][%0-9A-Za-z]{1,6}[^\x01%0-9A-Za-z]/;
-        this.reBadCSP = /(?:=|;)\s*report-(?:to|uri)\b/;
+        this.reBadCSP = /(?:^|;)\s*report-(?:to|uri)\b/i;
         this.reNoopOption = /^_+$/;
         this.scriptletArgListParser = new ArgListParser(',');
     }