From e16920682162d278abd7159b3f6708acf4f7a2df Mon Sep 17 00:00:00 2001
From: Samuel Elliott <samuel@fancy.org.uk>
Date: Sat, 7 Jul 2018 14:26:48 +0100
Subject: [PATCH] Add hosts that serve emotes to the content security policy

---
 core/src/main.js  | 26 +++++++++++++++++++++++++-
 package-lock.json |  3 +++
 package.json      |  3 ++-
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/core/src/main.js b/core/src/main.js
index fa18fe0d..804e7631 100644
--- a/core/src/main.js
+++ b/core/src/main.js
@@ -10,8 +10,9 @@
 
 import path from 'path';
 import sass from 'node-sass';
-import { BrowserWindow, dialog } from 'electron';
+import { BrowserWindow, dialog, session } from 'electron';
 import deepmerge from 'deepmerge';
+import ContentSecurityPolicy from 'csp-parse';
 
 import { FileUtils, BDIpc, Config, WindowUtils, CSSEditor, Database } from './modules';
 
@@ -239,6 +240,29 @@ export class BetterDiscord {
         browser_window_module.exports = PatchedBrowserWindow;
     }
 
+    /**
+     * Attaches an event handler for HTTP requests to update the Content Security Policy.
+     */
+    static hookSessionRequest() {
+        session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+            for (let [header, values] of Object.entries(details.responseHeaders)) {
+                if (!header.match(/^Content-Security-Policy(-Report-Only)?$/i)) continue;
+
+                details.responseHeaders[header] = values.map(value => {
+                    const policy = new ContentSecurityPolicy(value);
+
+                    // Add hosts that serve emotes (https://static-cdn.jtvnw.net is already in the CSP)
+                    policy.set('img-src', `${policy.get('img-src') || policy.get('default-src')} https://cdn.betterttv.net https://cdn.frankerfacez.com`);
+
+                    return policy.toString();
+                });
+            }
+
+            callback({ responseHeaders: details.responseHeaders });
+        });
+    }
+
 }
 
 BetterDiscord.patchBrowserWindow();
+BetterDiscord.hookSessionRequest();
diff --git a/package-lock.json b/package-lock.json
index 586bbe31..3da838fd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2744,6 +2744,9 @@
         "randomfill": "1.0.4"
       }
     },
+    "csp-parse": {
+      "version": "github:macropodhq/csp-parse#db7d5f954b420b527d7fb452a93bb6e2fa302c5a"
+    },
     "css-color-names": {
       "version": "0.0.4",
       "resolved": "https://registry.npmjs.org/css-color-names/-/css-color-names-0.0.4.tgz",
diff --git a/package.json b/package.json
index 2aa81670..a4b86c20 100644
--- a/package.json
+++ b/package.json
@@ -5,7 +5,7 @@
   "version": "2.0.0a",
   "homepage": "https://betterdiscord.net",
   "license": "MIT",
-  "main": "./core/index.js",
+  "main": "core/dist/main.js",
   "contributors": [
     "Jiiks",
     "Pohky"
@@ -16,6 +16,7 @@
   },
   "private": false,
   "dependencies": {
+    "csp-parse": "github:macropodhq/csp-parse",
     "deepmerge": "^2.1.1",
     "nedb": "^1.8.0",
     "node-sass": "^4.9.0"