summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-06-28 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-06-28 00:00:00 +0000
commitedbbe4002dadd31fd7eab0522a953e1b1b435767 (patch)
tree51a3a8fdf0f7cbcc8cd3145d15a4c7dc41cc2920
parent86ad1c6e0cf8a9ec3a529be10d7c7d1bfdf4620e (diff)
downloadbrowser-extension-edbbe4002dadd31fd7eab0522a953e1b1b435767.tar.gz
browser-extension-edbbe4002dadd31fd7eab0522a953e1b1b435767.zip
License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete.
-rw-r--r--TODOS.org13
-rw-r--r--content/main.js28
-rw-r--r--copyright22
-rw-r--r--manifest.json1
4 files changed, 36 insertions, 28 deletions
diff --git a/TODOS.org b/TODOS.org
index 8fe65d2..63f7985 100644
--- a/TODOS.org
+++ b/TODOS.org
@@ -19,13 +19,10 @@ TODO:
- add some nice styling to settings page
- make script bag components re-orderable (via drag&drop in options page) -- CRUCIAL
- find some way not to require each chrome user to modify manifest.json
-- rename the extension to something good
- test with more browser forks (Abrowser, Parabola IceWeasel, LibreWolf)
- also see if browsers based on pre-quantum FF support enough of
WebExtensions for easy porting
- make sure page's own csp in <head> doesn't block our scripts
-- make blocking more torough -- CRUCIAL
- - mind the data: urls -- CRUCIAL
- find out how and make it possible to whitelist non-https urls and
whether we can inject csp to them
- create a repository to host scripts
@@ -47,11 +44,17 @@ TODO:
- make extension's all html files proper XHTML
- split options_main.js into several smaller files
- validate settings data on import
-- find some good hatchet icon and rename the extension to "Hachette" (unless
- someone suggests another good name before we do so)
+- rename the extension to something good
+ - find some good hatchet icon and rename the extension to "Hachette"
+ (unless someone suggests another good name before we do so)
- add an option to disable script blocking globally
+- Add support to settings_query for non-standard URLs
+ (e.g. file:// and about:)
+- Process HTML files in data: URLs instead of just blocking them
DONE:
+- make blocking more torough -- DONE 2021-06-28
+ - mind the data: urls -- CRUCIAL
- employ copyright file in Debian format -- DONE 2021-06-25
- find out what causes storage sometimes not to get initialized under IceCat 60 -- DONE 2021-06-23
- make it possible to export page settings in some format -- DONE 2021-06-19
diff --git a/content/main.js b/content/main.js
index 4eea6be..2a46c7e 100644
--- a/content/main.js
+++ b/content/main.js
@@ -11,6 +11,7 @@
const handle_page_actions = window.handle_page_actions;
const url_item = window.url_item;
const gen_unique = window.gen_unique;
+ const sanitize_attributes = window.sanitize_attributes;
/*
* Due to some technical limitations the chosen method of whitelisting sites
@@ -26,6 +27,8 @@
let url = url_item(document.URL);
let unique = gen_unique(url);
let nonce = unique.substring(1);
+
+ const scriptSuppressor = window.scriptSuppressor(nonce);
function needs_blocking()
{
@@ -105,29 +108,10 @@ script-src-elem 'nonce-${nonce}';\
node.appendChild(meta);
}
- function sanitize_attributes(node)
- {
- if (node.attributes === undefined)
- return;
-
- /*
- * We have to do it in 2 loops, removing attribute modifies
- * our iterator
- */
- let attr_names = [];
- for (let attr of node.attributes) {
- let attr_name = attr.localName;
- if (attr_name.startsWith("on"))
- attr_names.push(attr_name);
- }
-
- for (let attr_name of attr_names) {
- node.removeAttribute(attr_name);
- console.log("sanitized", attr_name);
- }
- }
-
if (needs_blocking()) {
+ // Script blocking for Gecko
+ addEventListener('beforescriptexecute', scriptSuppressor, true);
+
var observer = new MutationObserver(handle_mutation);
observer.observe(document.documentElement, {
attributes: true,
diff --git a/copyright b/copyright
index f7412db..5dce864 100644
--- a/copyright
+++ b/copyright
@@ -42,6 +42,11 @@ License: Expat
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Files: content/freezer.js
+Copyright: 2005-2021 Giorgio Maone - https://maone.net
+ 2021 jahoti <jahoti@tilde.team>
+License: GPL-2+
+
Files: licenses/*
Copyright: 2001, 2002, 2011-2013 Creative Commons
License: CC-BY-4.0
@@ -54,7 +59,7 @@ License: CC0 and public-domain
License: CC0
See `licenses/cc0.txt'
-Files: licenses/gpl-3.0.txt
+Files: licenses/gpl-2.txt licenses/gpl-3.0.txt
Copyright: 2007 Free Software Foundation, Inc. <https://fsf.org/>
License: no-changing
Everyone is permitted to copy and distribute verbatim copies of
@@ -100,6 +105,21 @@ License: Alicense-1.0
Also see `https://koszko.org/en/articles/my-new-license.html'
for more explanation.
+License: GPL-2+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
License: CC-BY-SA-4.0
See `licenses/cc-by-sa-4.0.txt'
diff --git a/manifest.json b/manifest.json
index 9487d25..3984dc6 100644
--- a/manifest.json
+++ b/manifest.json
@@ -81,6 +81,7 @@
"match_about_blank": true,
"all_frames": true,
"js": [
+ "content/freezer.js",
"common/browser.js",
"common/connection_types.js",
"content/page_actions.js",