diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2022-08-24 12:21:24 +0200 |
|---|---|---|
| committer | Wojtek Kosior <koszko@koszko.org> | 2022-08-24 12:21:24 +0200 |
| commit | e6fca496862eb2f13b0dc38da6a378cc540771a1 (patch) | |
| tree | c6c345f0c151caae48497527fee0f4ec772cf644 | |
| parent | f2cf9f1243ad131ae8194576b69f55c3612312bb (diff) | |
| download | browser-extension-e6fca496862eb2f13b0dc38da6a378cc540771a1.tar.gz browser-extension-e6fca496862eb2f13b0dc38da6a378cc540771a1.zip | |
force <noscript> tags
| -rw-r--r-- | content/policy_enforcing.js | 47 |
1 files changed, 43 insertions, 4 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js index e230537..639a92a 100644 --- a/content/policy_enforcing.js +++ b/content/policy_enforcing.js @@ -162,6 +162,41 @@ function desanitize_script(script) { delete script.haketilo_blocked_type; } +/* The following will only be run on pages without payload. */ +function force_noscript_tag(element) { + if (element.tagName !== "NOSCRIPT") + return; + + let under_head = false; + let ancestor = element; + while (true) { + ancestor = ancestor.parentElement; + + if (ancestor === null) + break; + + if (ancestor === document.head) { + under_head = true; + break; + } + } + + const replacement = document.createElement('haketilo-noscript'); + replacement.innerHTML = element.innerHTML; + + for (const script of [...replacement.querySelectorAll('script')]) + script.remove(); + + if (under_head) { + for (const child of replacement.childNodes) + element.before(child); + + element.remove(); + } else { + element.replaceWith(replacement); + } +} + /* * Blocking certain attributes that might allow 'javascript:' URLs. Some of * these are: <iframe>'s 'src' attributes (would normally execute js in URL upon @@ -254,7 +289,8 @@ function sanitize_tree_onevent(root) { #ENDIF /* - * Sanitize elements on-the-fly as they appear using MutationObserver. + * Sanitize elements on-the-fly and force <noscript> tags visible as they appear + * using MutationObserver. * * Under Abrowser 97 it was observed that MutationObserver does not always work * as is should. When trying to observe nodes of an XMLDocument the behavior was @@ -262,8 +298,9 @@ function sanitize_tree_onevent(root) { * around this we avoid using the "subtree" option altogether and have the same * code work in all scenarios. */ -function MOSanitizer(root) { - this.root = root; +function MOSanitizer(root, payload_present) { + this.root = root; + this.payload_present = payload_present; this.recursively_sanitize(root); @@ -305,6 +342,8 @@ MOSanitizer.prototype.recursively_sanitize = function(elem) { #IF MOZILLA sanitize_element_onevent(current_elem); #ENDIF + if (!this.payload_present) + force_noscript_tag(current_elem); } } @@ -391,7 +430,7 @@ async function sanitize_document(doc, policy) { substitute_doc.documentElement.replaceWith(root); #ENDIF - const sanitizer = new MOSanitizer(root); + const sanitizer = new MOSanitizer(root, !!policy.payload); sanitizer.start(); wait_loaded(doc).then(() => sanitizer.stop()); |