diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2022-03-09 12:55:57 +0100 |
|---|---|---|
| committer | Wojtek Kosior <koszko@koszko.org> | 2022-03-10 11:43:59 +0100 |
| commit | aacacbb831c5658fc10b142c3b71efff7a7bdbc1 (patch) | |
| tree | fcc5885b620735817f1785c8bc65866dc444d3e6 | |
| parent | f37e4b6f950bd73cb846c1766790c3feba7fa217 (diff) | |
| download | browser-extension-aacacbb831c5658fc10b142c3b71efff7a7bdbc1.tar.gz browser-extension-aacacbb831c5658fc10b142c3b71efff7a7bdbc1.zip | |
improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)
| -rw-r--r-- | content/policy_enforcing.js | 19 | ||||
| -rw-r--r-- | test/haketilo_test/data/pages/scripts_to_block_2.xml | 2 | ||||
| -rw-r--r-- | test/haketilo_test/unit/test_policy_enforcing.py | 6 |
3 files changed, 10 insertions, 17 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js index 53f418f..e230537 100644 --- a/content/policy_enforcing.js +++ b/content/policy_enforcing.js @@ -271,6 +271,8 @@ function MOSanitizer(root) { } MOSanitizer.prototype.observe = function() { + this.mo.disconnect(); + let elem = this.root; while (elem && !elem.haketilo_trusted_node) { this.mo.observe(elem, {childList: true}); @@ -284,7 +286,6 @@ MOSanitizer.prototype.handle_mutations = function(mutations) { this.recursively_sanitize(new_node); } - this.mo.disconnect(); this.observe(); } @@ -355,17 +356,8 @@ async function sanitize_document(doc, policy) { substitute_doc.addEventListener(...listener_args); wait_loaded(doc).then(() => doc.removeEventListener(...listener_args)); - - sanitize_tree_urls(doc.documentElement); - sanitize_tree_onevent(doc.documentElement); #ENDIF - if (!doc.content_loaded) { - const sanitizer = new MOSanitizer(doc.documentElement); - sanitizer.start(); - wait_loaded(doc).then(() => sanitizer.stop()); - } - /* * Ensure our CSP rules are employed from the beginning. This CSP injection * method is, when possible, going to be applied together with CSP rules @@ -399,12 +391,17 @@ async function sanitize_document(doc, policy) { substitute_doc.documentElement.replaceWith(root); #ENDIF + const sanitizer = new MOSanitizer(root); + sanitizer.start(); + wait_loaded(doc).then(() => sanitizer.stop()); + /* * When we don't inject payload, we neither block document's CSP `<meta>' * tags nor wait for `<head>' to be parsed. */ if (policy.payload) { - await wait_for_head(doc, root); + if (doc instanceof HTMLDocument) + await wait_for_head(doc, root); root.querySelectorAll("head meta") .forEach(m => sanitize_meta(m, policy)); diff --git a/test/haketilo_test/data/pages/scripts_to_block_2.xml b/test/haketilo_test/data/pages/scripts_to_block_2.xml index 6433a1d..7eea906 100644 --- a/test/haketilo_test/data/pages/scripts_to_block_2.xml +++ b/test/haketilo_test/data/pages/scripts_to_block_2.xml @@ -30,7 +30,7 @@ <html:img xmlns:html="http://www.w3.org/1999/xhtml" src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==" - onload="window.__run = [...(window.__run || []), 'melon'];console.log('delme melon')"> + onload="window.__run = [...(window.__run || []), 'melon'];"> </html:img> <!-- Will execute --> diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py index 98b5044..bbc3eb9 100644 --- a/test/haketilo_test/unit/test_policy_enforcing.py +++ b/test/haketilo_test/unit/test_policy_enforcing.py @@ -144,11 +144,7 @@ def test_policy_enforcing_xml(driver, execute_in_page, csp_off_setting): def assert_properly_blocked(): click_all() - try: - assert set(driver.execute_script('return window.__run || [];')) == set() - except: - from time import sleep - sleep(100000) + assert set(driver.execute_script('return window.__run || [];')) == set() assert bool(csp_off_setting) == are_scripts_allowed(driver) # First, see if scripts run when not blocked. |