summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorjahoti <jahoti@tilde.team>2021-06-28 00:00:00 +0000
committerjahoti <jahoti@tilde.team>2021-06-28 00:00:00 +0000
commitedbbe4002dadd31fd7eab0522a953e1b1b435767 (patch)
tree51a3a8fdf0f7cbcc8cd3145d15a4c7dc41cc2920 /content
parent86ad1c6e0cf8a9ec3a529be10d7c7d1bfdf4620e (diff)
downloadbrowser-extension-edbbe4002dadd31fd7eab0522a953e1b1b435767.tar.gz
browser-extension-edbbe4002dadd31fd7eab0522a953e1b1b435767.zip
License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete.
Diffstat (limited to 'content')
-rw-r--r--content/main.js28
1 files changed, 6 insertions, 22 deletions
diff --git a/content/main.js b/content/main.js
index 4eea6be..2a46c7e 100644
--- a/content/main.js
+++ b/content/main.js
@@ -11,6 +11,7 @@
const handle_page_actions = window.handle_page_actions;
const url_item = window.url_item;
const gen_unique = window.gen_unique;
+ const sanitize_attributes = window.sanitize_attributes;
/*
* Due to some technical limitations the chosen method of whitelisting sites
@@ -26,6 +27,8 @@
let url = url_item(document.URL);
let unique = gen_unique(url);
let nonce = unique.substring(1);
+
+ const scriptSuppressor = window.scriptSuppressor(nonce);
function needs_blocking()
{
@@ -105,29 +108,10 @@ script-src-elem 'nonce-${nonce}';\
node.appendChild(meta);
}
- function sanitize_attributes(node)
- {
- if (node.attributes === undefined)
- return;
-
- /*
- * We have to do it in 2 loops, removing attribute modifies
- * our iterator
- */
- let attr_names = [];
- for (let attr of node.attributes) {
- let attr_name = attr.localName;
- if (attr_name.startsWith("on"))
- attr_names.push(attr_name);
- }
-
- for (let attr_name of attr_names) {
- node.removeAttribute(attr_name);
- console.log("sanitized", attr_name);
- }
- }
-
if (needs_blocking()) {
+ // Script blocking for Gecko
+ addEventListener('beforescriptexecute', scriptSuppressor, true);
+
var observer = new MutationObserver(handle_mutation);
observer.observe(document.documentElement, {
attributes: true,