Merge commit 'ecb787046271de708b94da70240713e725299d86'

3 files changed, 27 insertions, 53 deletions

diff --git a/content/freezer.js b/content/freezer.js
index 8e543a6..9dbc95e 100644
--- a/content/freezer.js
+++ b/content/freezer.js
@@ -49,7 +49,7 @@ function mozilla_suppress_scripts(e) {
 	console.log('Script suppressor has detached.');
 	return;
     }
-    else if (e.isTrusted) { // Prevent blocking of injected scripts
+    if (e.isTrusted && !e.target._hachette_payload) {
 	e.preventDefault();
 	console.log('Suppressed script', e.target);
     }
diff --git a/content/main.js b/content/main.js
index b044c82..af8cd7c 100644
--- a/content/main.js
+++ b/content/main.js
@@ -8,7 +8,6 @@
 
 /*
  * IMPORTS_START
- * IMPORT CONNECTION_TYPE
  * IMPORT handle_page_actions
  * IMPORT url_item
  * IMPORT url_extract_target
@@ -18,7 +17,6 @@
  * IMPORT is_privileged_url
  * IMPORT sanitize_attributes
  * IMPORT mozilla_suppress_scripts
- * IMPORT browser
  * IMPORT is_chrome
  * IMPORT is_mozilla
  * IMPORT start_activity_info_server
@@ -28,39 +26,15 @@
 /*
  * Due to some technical limitations the chosen method of whitelisting sites
  * is to smuggle whitelist indicator in page's url as a "magical" string
- * after '#'. Right now this is not needed in HTTP(s) pages where native
- * script blocking happens through CSP header injection but is needed for
- * protocols like ftp:// and file://.
+ * after '#'. Right now this is only supplemental in HTTP(s) pages where
+ * blocking of native scripts also happens through CSP header injection but is
+ * necessary for protocols like ftp:// and file://.
  *
  * The code that actually injects the magical string into ftp:// and file://
  * urls has not yet been added to the extension.
  */
 
-let url = url_item(document.URL);
-let unique = gen_unique(url);
-
-
-function is_http()
-{
-    return !!/^https?:\/\//i.exec(document.URL);
-}
-
-function is_whitelisted()
-{
-    const parsed_url = url_extract_target(document.URL);
-
-    if (parsed_url.target !== undefined &&
-	parsed_url.target === '#' + unique) {
-	if (parsed_url.target2 !== undefined)
-	    window.location.href = parsed_url.base_url + parsed_url.target2;
-	else
-	    history.replaceState(null, "", parsed_url.base_url);
-
-	return true;
-    }
-
-    return false;
-}
+var nonce = undefined;
 
 function handle_mutation(mutations, observer)
 {
@@ -85,9 +59,8 @@ function block_nodes_recursively(node)
 function block_node(node)
 {
     /*
-     * Modifying <script> element doesn't always prevent its
-     * execution in some Mozilla browsers. Additional blocking
-     * through CSP meta tag injection is required.
+     * Modifying <script> element doesn't always prevent its execution in some
+     * Mozilla browsers. This is Chromium-specific code.
      */
     if (node.tagName === "SCRIPT") {
 	block_script(node);
@@ -126,24 +99,20 @@ function inject_csp(head)
 }
 
 if (!is_privileged_url(document.URL)) {
-    start_activity_info_server();
-    var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
-
-    if (is_http()) {
-	/* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */
-	const nonce_capturer = msg => {
-	    port.onMessage.removeListener(nonce_capturer);
-	    handle_page_actions(msg[1], port);
-	};
-
-	port.onMessage.addListener(nonce_capturer);
-
-    } else if (is_whitelisted()) {
-	/* do not block scripts at all; as a result, there is no need for a green-lighted nonce */
-	handle_page_actions(null, port);
-    } else {
-	nonce = gen_nonce();
-	handle_page_actions(nonce, port);
+    const targets = url_extract_target(document.URL);
+    if (targets.policy) {
+	if (targets.target2)
+	    window.location.href = targets.base_url + targets.target2;
+	else
+	    history.replaceState(null, "", targets.base_url);
+    }
+
+    const policy = targets.current ? targets.policy : {};
+
+    nonce = policy.nonce || gen_nonce();
+    handle_page_actions(nonce);
+
+    if (!policy.allow) {
 	block_nodes_recursively(document.documentElement);
 
 	if (is_chrome) {
@@ -158,4 +127,6 @@ if (!is_privileged_url(document.URL)) {
 	if (is_mozilla)
 	    addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);
     }
+
+    start_activity_info_server();
 }
diff --git a/content/page_actions.js b/content/page_actions.js
index dff5f71..75cc4d9 100644
--- a/content/page_actions.js
+++ b/content/page_actions.js
@@ -7,6 +7,7 @@
 
 /*
  * IMPORTS_START
+ * IMPORT CONNECTION_TYPE
  * IMPORT browser
  * IMPORT report_script
  * IMPORT report_settings
@@ -49,13 +50,15 @@ function add_script(script_text)
     let script = document.createElement("script");
     script.textContent = script_text;
     script.setAttribute("nonce", nonce);
+    script._hachette_payload = true;
     document.body.appendChild(script);
 
     report_script(script_text);
 }
 
-function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js
+function handle_page_actions(script_nonce) {
     document.addEventListener("DOMContentLoaded", document_loaded);
+    port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
     port.onMessage.addListener(handle_message);
     port.postMessage({url: document.URL});