test script blocking with and without the CSP-based approach on

1 files changed, 45 insertions, 17 deletions

diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js
index 25c8b6b..8e26afb 100644
--- a/content/policy_enforcing.js
+++ b/content/policy_enforcing.js
@@ -109,7 +109,7 @@ function wait_for_head(doc, detached_html) {
 
 const blocked_str = "blocked";
 
-function block_attribute(node, attr, ns=null, replace_with="") {
+function block_attribute(node, attr, ns=null, replace_with=null) {
     const [hasa, geta, seta, rema] = ["has", "get", "set", "remove"]
 	  .map(m => (n, ...args) => typeof ns === "string" ?
 	       n[`${m}AttributeNS`](ns, ...args) : n[`${m}Attribute`](...args));
@@ -128,7 +128,8 @@ function block_attribute(node, attr, ns=null, replace_with="") {
     }
 
     rema(node, attr);
-    seta(node, attr, replace_with);
+    if (replace_with !== null)
+	seta(node, attr, replace_with);
 }
 
 /*
@@ -180,11 +181,40 @@ function sanitize_tree_urls(root) {
 	.forEach(sanitize_element_urls);
 }
 
-function start_urls_sanitizing(doc) {
-    sanitize_tree_urls(doc);
+#IF MOZILLA
+function sanitize_element_onevent(element) {
+    for (const attribute_node of (element.attributes || [])) {
+	const attr = attribute_node.localName, attr_lo = attr.toLowerCase();;
+	if (!/^on/.test(attr_lo) || !(attr_lo in element.wrappedJSObject))
+	    continue;
+
+	/*
+	 * Guard against redefined getter on DOM object property. This should
+	 * not be an issue  */
+	if (Object.getOwnPropertyDescriptor(element.wrappedJSObject, attr)) {
+	    console.error("Redefined property on a DOM object! The page might have bypassed our script blocking measures!");
+	    continue;
+	}
+	element.wrappedJSObject[attr] = null;
+	block_attribute(element, attr, attribute_node.namespaceURI,
+			"javascript:void('blocked');");
+    }
+}
+
+function sanitize_tree_onevent(root) {
+    root.querySelectorAll("*")
+	.forEach(sanitize_element_onevent);
+}
+#ENDIF
+
+function start_mo_sanitizing(doc) {
     if (!doc.content_loaded) {
-	const mutation_handler =
-	      m => m.addedNodes.forEach(sanitize_element_urls);
+	function mutation_handler(mutation) {
+	    mutation.addedNodes.forEach(sanitize_element_urls);
+#IF MOZILLA
+	    mutation.addedNodes.forEach(sanitize_element_onevent);
+#ENDIF
+	}
 	const mo = new MutationObserver(ms => ms.forEach(mutation_handler));
 	mo.observe(doc, {childList: true, subtree: true});
 	wait_loaded(doc).then(() => mo.disconnect());
@@ -225,13 +255,8 @@ async function sanitize_document(doc, policy) {
     doc.addEventListener(...listener_args);
     wait_loaded(doc).then(() => doc.removeEventListener(...listener_args));
 
-    for (const elem of doc.querySelectorAll("*")) {
-	[...elem.attributes].map(attr => attr.localName)
-	    .filter(attr => /^on/.test(attr) && elem.wrappedJSObject[attr])
-	    .forEach(attr => elem.wrappedJSObject[attr] = null);
-    }
-
     sanitize_tree_urls(doc.documentElement);
+    sanitize_tree_onevent(doc.documentElement);
 #ENDIF
 
     /*
@@ -251,7 +276,7 @@ async function sanitize_document(doc, policy) {
     Loading...
   </body>
 </html>`;
-    const html =
+    const temporary_html =
 	  new DOMParser().parseFromString(source, "text/html").documentElement;
 
     /*
@@ -259,7 +284,7 @@ async function sanitize_document(doc, policy) {
      * and sanitized.
      */
     const root = doc.documentElement;
-    root.replaceWith(html);
+    root.replaceWith(temporary_html);
 
     /*
      * When we don't inject payload, we neither block document's CSP `<meta>'
@@ -272,12 +297,15 @@ async function sanitize_document(doc, policy) {
 	    .forEach(m => sanitize_meta(m, policy));
     }
 
-    root.querySelectorAll("script").forEach(s => sanitize_script(s, policy));
     sanitize_tree_urls(root);
-    html.replaceWith(root);
+    root.querySelectorAll("script").forEach(s => sanitize_script(s, policy));
+    temporary_html.replaceWith(root);
     root.querySelectorAll("script").forEach(s => desanitize_script(s, policy));
+#IF MOZILLA
+    sanitize_tree_onevent(root);
+#ENDIF
 
-    start_urls_sanitizing(doc);
+    start_mo_sanitizing(doc);
 }
 
 async function _disable_service_workers() {