aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2022-03-09 12:55:57 +0100
committerWojtek Kosior <koszko@koszko.org>2022-03-10 11:43:59 +0100
commitaacacbb831c5658fc10b142c3b71efff7a7bdbc1 (patch)
treefcc5885b620735817f1785c8bc65866dc444d3e6
parentf37e4b6f950bd73cb846c1766790c3feba7fa217 (diff)
downloadbrowser-extension-aacacbb831c5658fc10b142c3b71efff7a7bdbc1.tar.gz
browser-extension-aacacbb831c5658fc10b142c3b71efff7a7bdbc1.zip
improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)
-rw-r--r--content/policy_enforcing.js19
-rw-r--r--test/haketilo_test/data/pages/scripts_to_block_2.xml2
-rw-r--r--test/haketilo_test/unit/test_policy_enforcing.py6
3 files changed, 10 insertions, 17 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js
index 53f418f..e230537 100644
--- a/content/policy_enforcing.js
+++ b/content/policy_enforcing.js
@@ -271,6 +271,8 @@ function MOSanitizer(root) {
}
MOSanitizer.prototype.observe = function() {
+ this.mo.disconnect();
+
let elem = this.root;
while (elem && !elem.haketilo_trusted_node) {
this.mo.observe(elem, {childList: true});
@@ -284,7 +286,6 @@ MOSanitizer.prototype.handle_mutations = function(mutations) {
this.recursively_sanitize(new_node);
}
- this.mo.disconnect();
this.observe();
}
@@ -355,17 +356,8 @@ async function sanitize_document(doc, policy) {
substitute_doc.addEventListener(...listener_args);
wait_loaded(doc).then(() => doc.removeEventListener(...listener_args));
-
- sanitize_tree_urls(doc.documentElement);
- sanitize_tree_onevent(doc.documentElement);
#ENDIF
- if (!doc.content_loaded) {
- const sanitizer = new MOSanitizer(doc.documentElement);
- sanitizer.start();
- wait_loaded(doc).then(() => sanitizer.stop());
- }
-
/*
* Ensure our CSP rules are employed from the beginning. This CSP injection
* method is, when possible, going to be applied together with CSP rules
@@ -399,12 +391,17 @@ async function sanitize_document(doc, policy) {
substitute_doc.documentElement.replaceWith(root);
#ENDIF
+ const sanitizer = new MOSanitizer(root);
+ sanitizer.start();
+ wait_loaded(doc).then(() => sanitizer.stop());
+
/*
* When we don't inject payload, we neither block document's CSP `<meta>'
* tags nor wait for `<head>' to be parsed.
*/
if (policy.payload) {
- await wait_for_head(doc, root);
+ if (doc instanceof HTMLDocument)
+ await wait_for_head(doc, root);
root.querySelectorAll("head meta")
.forEach(m => sanitize_meta(m, policy));
diff --git a/test/haketilo_test/data/pages/scripts_to_block_2.xml b/test/haketilo_test/data/pages/scripts_to_block_2.xml
index 6433a1d..7eea906 100644
--- a/test/haketilo_test/data/pages/scripts_to_block_2.xml
+++ b/test/haketilo_test/data/pages/scripts_to_block_2.xml
@@ -30,7 +30,7 @@
<html:img xmlns:html="http://www.w3.org/1999/xhtml"
src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg=="
- onload="window.__run = [...(window.__run || []), 'melon'];console.log('delme melon')">
+ onload="window.__run = [...(window.__run || []), 'melon'];">
</html:img>
<!-- Will execute -->
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py
index 98b5044..bbc3eb9 100644
--- a/test/haketilo_test/unit/test_policy_enforcing.py
+++ b/test/haketilo_test/unit/test_policy_enforcing.py
@@ -144,11 +144,7 @@ def test_policy_enforcing_xml(driver, execute_in_page, csp_off_setting):
def assert_properly_blocked():
click_all()
- try:
- assert set(driver.execute_script('return window.__run || [];')) == set()
- except:
- from time import sleep
- sleep(100000)
+ assert set(driver.execute_script('return window.__run || [];')) == set()
assert bool(csp_off_setting) == are_scripts_allowed(driver)
# First, see if scripts run when not blocked.