fix worker csp check

ezzak · ezzak · commit 065f7450ffbe · 2023-10-04T12:05:10.000-07:00
diff --git a/config/v2/manifest.json b/config/v2/manifest.json
@@ -1,7 +1,7 @@
 {
     "manifest_version": 2,
     "name": "Code Verify",
-    "version": "3.2.0",
+    "version": "3.2.1",
     "default_locale": "en",
     "description": "An extension to verify the code running in your browser matches what was published.",
     "page_action": {
diff --git a/config/v3/manifest.json b/config/v3/manifest.json
@@ -1,7 +1,7 @@
 {
     "manifest_version": 3,
     "name": "Code Verify",
-    "version": "3.2.0",
+    "version": "3.2.1",
     "default_locale": "en",
     "description": "An extension to verify the code running in your browser matches what was published.",
     "action": {
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meta-code-verify",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Browser extensions to verify code running in the browser against a published manifest",
   "main": "none",
   "repository": "git@github.com:facebookincubator/meta-code-verify.git",
diff --git a/src/js/contentUtils.ts b/src/js/contentUtils.ts
@@ -528,21 +528,23 @@ chrome.runtime.onMessage.addListener(request => {
       ) {
         return;
       }
-      const hostname = window.location.hostname;
-      const resourceURL = new URL(request.response.url);
-      if (resourceURL.hostname === hostname) {
-        // This can potentially be a worker, check if CSPs allow it as a worker
-        if (
-          allowedWorkerCSPs.every(csp =>
-            doesWorkerUrlConformToCSP(csp, resourceURL.toString()),
-          )
-        ) {
-          // This might be a worker, ensure it's CSP headers are valid
-          checkWorkerEndpointCSP(
-            request.response,
-            allowedWorkerCSPs,
-            currentOrigin.val,
-          );
+      if (isFbMsgrOrIgOrigin(currentOrigin.val)) {
+        const hostname = window.location.hostname;
+        const resourceURL = new URL(request.response.url);
+        if (resourceURL.hostname === hostname) {
+          // This can potentially be a worker, check if CSPs allow it as a worker
+          if (
+            allowedWorkerCSPs.every(csp =>
+              doesWorkerUrlConformToCSP(csp, resourceURL.toString()),
+            )
+          ) {
+            // This might be a worker, ensure it's CSP headers are valid
+            checkWorkerEndpointCSP(
+              request.response,
+              allowedWorkerCSPs,
+              currentOrigin.val,
+            );
+          }
         }
       }
       sendMessageToBackground({

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"manifest_version": 2,`
`3`	`3`	`"name": "Code Verify",`
`4`		`- "version": "3.2.0",`
	`4`	`+ "version": "3.2.1",`
`5`	`5`	`"default_locale": "en",`
`6`	`6`	`"description": "An extension to verify the code running in your browser matches what was published.",`
`7`	`7`	`"page_action": {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"manifest_version": 3,`
`3`	`3`	`"name": "Code Verify",`
`4`		`- "version": "3.2.0",`
	`4`	`+ "version": "3.2.1",`
`5`	`5`	`"default_locale": "en",`
`6`	`6`	`"description": "An extension to verify the code running in your browser matches what was published.",`
`7`	`7`	`"action": {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "meta-code-verify",`
`3`		`- "version": "3.2.0",`
	`3`	`+ "version": "3.2.1",`
`4`	`4`	`"description": "Browser extensions to verify code running in the browser against a published manifest",`
`5`	`5`	`"main": "none",`
`6`	`6`	`"repository": "git@github.com:facebookincubator/meta-code-verify.git",`