License script-blocking techniques from NoScript in machine-readable format.

In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML
data: urls should be refined (eventually) to align with current practice for
pages in general.

Also, script-blocking is now filtered by nonce, making it possible (albeit
perhaps not desirable) to inject scripts before the DOM is complete.

1 files changed, 6 insertions, 22 deletions

diff --git a/content/main.js b/content/main.js
index 4eea6be..2a46c7e 100644
--- a/content/main.js
+++ b/content/main.js
@@ -11,6 +11,7 @@
     const handle_page_actions = window.handle_page_actions;
     const url_item = window.url_item;
     const gen_unique = window.gen_unique;
+    const sanitize_attributes = window.sanitize_attributes;
 
     /*
      * Due to some technical limitations the chosen method of whitelisting sites
@@ -26,6 +27,8 @@
     let url = url_item(document.URL);
     let unique = gen_unique(url);
     let nonce = unique.substring(1);
+    
+    const scriptSuppressor = window.scriptSuppressor(nonce);
 
     function needs_blocking()
     {
@@ -105,29 +108,10 @@ script-src-elem 'nonce-${nonce}';\
 	node.appendChild(meta);
     }
 
-    function sanitize_attributes(node)
-    {
-	if (node.attributes === undefined)
-	    return;
-
-	/*
-	 * We have to do it in 2 loops, removing attribute modifies
-	 * our iterator
-	 */
-	let attr_names = [];
-	for (let attr of node.attributes) {
-	    let attr_name = attr.localName;
-	    if (attr_name.startsWith("on"))
-		attr_names.push(attr_name);
-	}
-
-	for (let attr_name of attr_names) {
-	    node.removeAttribute(attr_name);
-	    console.log("sanitized", attr_name);
-	}
-    }
-
     if (needs_blocking()) {
+	// Script blocking for Gecko
+	addEventListener('beforescriptexecute', scriptSuppressor, true);
+	
 	var observer = new MutationObserver(handle_mutation);
 	observer.observe(document.documentElement, {
 	    attributes: true,