Configurable "csspp0" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED).

Author: hackademix

src/bg/LifeCycle.js

@@ -240,24 +240,34 @@ var LifeCycle = (() => {
 
       // put here any version specific upgrade adjustment in stored data
 
-      if (Ver.is(previousVersion, "<=", "11.0.10")) {
-        log(`Upgrading from 11.0.10 or below (${previousVersion}): configure the "ping" capability.`);
-        await ns.initializing;
-        ns.policy.TRUSTED.capabilities.add("ping");
-        await ns.savePolicy();
-      }
-      if (Ver.is(previousVersion, "<=", "11.2.1")) {
-        log(`Upgrading from ${previousVersion}: configure the "noscript" capability.`);
+      let configureNewCap = async(cap, presets, presetFilter) => {
+        log(`Upgrading from ${previousVersion}: configure the "${cap}" capability.`);
         await ns.initializing;
-        let {DEFAULT, TRUSTED, UNTRUSTED} = ns.policy;
-        // let's add "noscript" to DEFAULY, TRUSTED and any CUSTOM preset
-        let presets = [DEFAULT, TRUSTED];
-        presets = presets.concat([...ns.policy.sites.values()].filter(p => p !== TRUSTED && p !== UNTRUSTED));
+        let policy = ns.policy;
+        let customIdx = presets.indexOf("CUSTOM");
+        presets = presets.map(p => policy[p])
+        if (customIdx !== -1) {
+          let { TRUSTED, UNTRUSTED } = policy;
+          // insert custom presets, if any
+          presets.splice(customIdx, 1, ...[...policy.sites.values()].filter(p => p !== TRUSTED && p !== UNTRUSTED));
+        }
+        if (presetFilter) presets = presets.filter(presetFilter);
         for (let p of presets) {
-          p.capabilities.add("noscript");
+          p.capabilities.add(cap);
         }
         await ns.savePolicy();
       }
+
+      if (Ver.is(previousVersion, "<=", "11.0.10")) {
+        await configureNewCap("ping", ["TRUSTED"]);
+      }
+      if (Ver.is(previousVersion, "<=", "11.2.1")) {
+        await configureNewCap("noscript", ["DEFAULT", "TRUSTED", "CUSTOM"])
+      }
+      if (Ver.is(previousVersion, "<=", "11.2.4")) {
+        // add the csspp0 capability to any preset which already has the script capability
+        await configureNewCap("csspp0", ["TRUSTED", "CUSTOM", "DEFAULT"], p => p.capabilities.has("script"));
+      }
     },
 
     async onUpdateAvailable(details) {

src/content/content.js

@@ -163,6 +163,20 @@ ns.on("capabilities", () => {
       allowed: ns.canScript
     });
 
+  if (!(ns.policy.isTorBrowser || ns.allows("csspp0"))) {
+    // protection against CSS PP0, not needed on the Tor Browser because of its
+    // noisy DNS resolution: https://orenlab.sise.bgu.ac.il/p/PP0
+    let prefetchCallback =
+      // false && // REL_ONLY
+      (location.hostname === 'localhost' && location.search.includes("debug_prefetch"))
+      ? (rule, url) => {
+        debug("Prefetching %s from CSS", url, rule.cssText);
+        url.hostname = `prefetch.${url.hostname}`;
+        return false; // let default processing continue with the modified hostname
+      } : null;
+    prefetchCSSResources(true, prefetchCallback);
+  }
+
   if (!ns.canScript) {
 
     if ("serviceWorker" in navigator && navigator.serviceWorker.controller) {
@@ -172,19 +186,6 @@ ns.on("capabilities", () => {
         }
       })();
     }
-    if (!ns.policy.isTorBrowser) {
-      // protection against CSS PP0, not needed on the Tor Browser because of its
-      // noisy DNS resolution: https://orenlab.sise.bgu.ac.il/p/PP0
-      let prefetchCallback =
-        // false && // REL_ONLY
-        (location.hostname === 'localhost' && location.search.includes("debug_prefetch"))
-        ? (rule, url) => {
-          debug("Prefetching %s from CSS", url, rule.cssText);
-          url.hostname = `prefetch.${url.hostname}`;
-          return false; // let default processing continue with the modified hostname
-        } : null;
-      prefetchCSSResources(true, prefetchCallback);
-    }
     onScriptDisabled();
   }