From a4a32f6b9e0213797ad43b9b458dbd5fbc86614b Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 20 Jun 2021 08:43:44 +0200 Subject: [PATCH 1/3] switch to streaming WASM loading, fixes #814 --- js/zlib-1.2.11.js | 57 ++++++++++++++++++++--------------------------- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 26 insertions(+), 35 deletions(-) diff --git a/js/zlib-1.2.11.js b/js/zlib-1.2.11.js index ed0abea8..835cb968 100644 --- a/js/zlib-1.2.11.js +++ b/js/zlib-1.2.11.js @@ -1,6 +1,6 @@ 'use strict'; -(function() { +(function () { let ret; async function initialize() { @@ -23,16 +23,7 @@ _abort: errno => { console.error(`Error: ${errno}`) }, _grow: () => { }, }; - - let buff; - if (typeof fetch === 'undefined') { - buff = fs.readFileSync('zlib-1.2.11.wasm'); - } else { - const resp = await fetch('js/zlib-1.2.11.wasm'); - buff = await resp.arrayBuffer(); - } - const module = await WebAssembly.compile(buff); - const ins = await WebAssembly.instantiate(module, { env }); + const ins = await WebAssembly.instantiateStreaming(fetch('js/zlib-1.2.11.wasm'), { env }); const srcPtr = ins.exports._malloc(CHUNK_SIZE); const dstPtr = ins.exports._malloc(CHUNK_SIZE); @@ -116,28 +107,28 @@ } ret = { - inflate(rawDeflateBuffer) { - const rawInf = new RawInf(); - for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) { - const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length); - const chunk = rawDeflateBuffer.subarray(offset, end); - rawInf.inflate(chunk); - } - const ret = rawInf.getBuffer(); - rawInf.destroy(); - return ret; - }, - deflate(rawInflateBuffer) { - const rawDef = new RawDef(); - for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) { - const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length); - const chunk = rawInflateBuffer.subarray(offset, end); - rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE); - } - const ret = rawDef.getBuffer(); - rawDef.destroy(); - return ret; - }, + inflate(rawDeflateBuffer) { + const rawInf = new RawInf(); + for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) { + const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length); + const chunk = rawDeflateBuffer.subarray(offset, end); + rawInf.inflate(chunk); + } + const ret = rawInf.getBuffer(); + rawInf.destroy(); + return ret; + }, + deflate(rawInflateBuffer) { + const rawDef = new RawDef(); + for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) { + const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length); + const chunk = rawInflateBuffer.subarray(offset, end); + rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE); + } + const ret = rawDef.getBuffer(); + rawDef.destroy(); + return ret; + }, } return ret; diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 1e4eae00..86c15de2 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -54,7 +54,7 @@ if ($ZEROBINCOMPATIBILITY) : - + diff --git a/tpl/page.php b/tpl/page.php index 28f37b90..f3b26d4e 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -33,7 +33,7 @@ if ($ZEROBINCOMPATIBILITY): - + Date: Sun, 20 Jun 2021 08:44:25 +0200 Subject: [PATCH 2/3] remove unsafe-eval from CSP --- cfg/conf.sample.php | 2 +- lib/Configuration.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index d362f3f2..bfae7563 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -87,7 +87,7 @@ languageselection = false ; async functions and display an error if not and for Chrome to enable ; webassembly support (used for zlib compression). You can remove it if Chrome ; doesn't need to be supported and old browsers don't need to be warned. -; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" +; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index 7c4eb106..35e5b40f 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -54,7 +54,7 @@ class Configuration 'urlshortener' => '', 'qrcode' => true, 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', + 'cspheader' => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', 'zerobincompatibility' => false, 'httpwarning' => true, 'compression' => 'zlib', From 6587466a9b29a5f2af49d849243e3783cf4ab9ca Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 26 Nov 2024 07:01:34 +0100 Subject: [PATCH 3/3] remove async & ES6 feature detection It requires eval and webcrypto got introduced in older Chrome & Firefox versions, so seems superfluous to keep. --- CHANGELOG.md | 1 + js/legacy.js | 12 ------------ lib/Configuration.php | 2 +- 3 files changed, 2 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 456c6c29..262edc9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # PrivateBin version history ## 1.7.6 (not yet released) +* CHANGED: Switched to WASM streaming and replace unsafe-eval with wasm-unsafe-eval CSP declaration (#1464), requires webserver to have `application/wasm` MIME type configured. ## 1.7.5 (2024-11-16) * ADDED: Allow non persistent SQL connections, if configured (#1394) diff --git a/js/legacy.js b/js/legacy.js index be85f981..922e9a0e 100644 --- a/js/legacy.js +++ b/js/legacy.js @@ -174,18 +174,6 @@ )) { return true; } - - // async & ES6 support - try { - async () => {}; - } catch (e) { - if (e instanceof SyntaxError) { - return true; - } else { - throw e; // throws CSP error - } - } - return false; } diff --git a/lib/Configuration.php b/lib/Configuration.php index 78aa9fe5..9dd7f4f3 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -106,7 +106,7 @@ class Configuration 'js/dark-mode-switch.js' => 'sha512-CCbdHdeWDbDO7aqFFmhgnvFESzaILHbUYmbhNjTpcjyO/XYdouQ9Pw8W9rpV8oJT1TsK5FbwSHU1oazmnb7BWA==', 'js/jquery-3.7.1.js' => 'sha512-v2CJ7UaYy4JwqLDIrZUI/4hqeoQieOmAZNXBeQyjo21dadnwR+8ZaIJVT8EE2iyI61OV8e6M8PP2/4hpQINQ/g==', 'js/kjua-0.9.0.js' => 'sha512-CVn7af+vTMBd9RjoS4QM5fpLFEOtBCoB0zPtaqIDC7sF4F8qgUSRFQQpIyEDGsr6yrjbuOLzdf20tkHHmpaqwQ==', - 'js/legacy.js' => 'sha512-p76t5AT6YHgvhG5RqWGOQ6o87aObfYWYwOPHYhhN4KfExVEZJ0/I0D+1daKprxgbL37/gtXxbd1qZx4PIhSU3g==', + 'js/legacy.js' => 'sha512-UxW/TOZKon83n6dk/09GsYKIyeO5LeBHokxyIq+r7KFS5KMBeIB/EM7NrkVYIezwZBaovnyNtY2d9tKFicRlXg==', 'js/prettify.js' => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==', 'js/privatebin.js' => 'sha512-JUj/Sbl/bMHlIoIUT1U9e89JU33fDBxCxLSGxwwaeydBFXOBHyfdF7hwSIjgbPxb4d9CO7CSe4meouTIRMy8Vg==', 'js/purify-3.1.7.js' => 'sha512-LegvqULiMtOfboJZw9MpETN/b+xnLRXZI90gG7oIFHW+yAeHmKvRtEUbiMFx2WvUqQoL9XB3gwU+hWXUT0X+8A==',