diff options
-rw-r--r-- | TODOS.org | 3 | ||||
-rw-r--r-- | background/background.html | 5 | ||||
-rw-r--r-- | background/policy_smuggler.js | 11 | ||||
-rw-r--r-- | common/gen_unique.js | 32 | ||||
-rw-r--r-- | common/sha256.js (renamed from background/sha256.js) | 0 | ||||
-rw-r--r-- | common/url_item.js (renamed from background/url_item.js) | 0 | ||||
-rw-r--r-- | content/main.js | 8 | ||||
-rw-r--r-- | manifest.json | 15 |
8 files changed, 66 insertions, 8 deletions
@@ -17,7 +17,7 @@ TODO: settings and settings for pages that currently happen to live in iframes - add some nice styling to settings page -- use non-predictable value in place of "myext-allow", utilizing hashes -- CRUCIAL +- find some way not to require each chrome user to modify manifest.json - rename the extension to something good - port to gecko-based browsers -- CRUCIAL - rename "bundles" to "bags" to avoid confusion with Web Bundles @@ -40,6 +40,7 @@ TODO: to manage imports/exports DONE: +- use non-predictable value in place of "myext-allow", utilizing hashes -- DONE 2021-05-12 - stop using modules (not available on all browsers) -- DONE 2021-05-12 - clean up the remnants of LibreJS -- DONE 2021-05-12 - implement whitelisting -- DONE 2021-05-07 diff --git a/background/background.html b/background/background.html index d453c47..c6621e2 100644 --- a/background/background.html +++ b/background/background.html @@ -10,9 +10,10 @@ <script src="./message_server.js"></script> <script src="/common/connection_types.js"></script> <script src="./storage_server.js"></script> - <script src="./url_item.js"></script> - <script src="./sha256.js"></script> + <script src="/common/url_item.js"></script> + <script src="/common/sha256.js"></script> <script src="./page_actions_server.js"></script> + <script src="/common/gen_unique.js"></script> <script src="./policy_smuggler.js"></script> <script src="./main.js"></script> </head> diff --git a/background/policy_smuggler.js b/background/policy_smuggler.js index 6d0da38..180dcb7 100644 --- a/background/policy_smuggler.js +++ b/background/policy_smuggler.js @@ -15,6 +15,7 @@ const get_storage = window.get_storage; const browser = window.browser; const url_item = window.url_item; + const gen_unique = window.gen_unique; var storage; @@ -26,12 +27,14 @@ let first_target = match[3]; let second_target = match[4]; - if (first_target === "#myext-allow") { + let url = url_item(request.url); + let unique = gen_unique(url); + + if (first_target === unique) { console.log(["not redirecting"]); return {cancel : false}; } - let url = url_item(request.url); let settings = storage.get(TYPE_PREFIX.PAGE, url); console.log("got", storage.get(TYPE_PREFIX.PAGE, url), "for", url); if (settings === undefined || !settings.allow) @@ -40,10 +43,10 @@ second_target = (first_target || "") + (second_target || "") console.log(["redirecting", request.url, - (base_url + "#myext-allow" + second_target)]); + (base_url + unique + second_target)]); return { - redirectUrl : (base_url + "#myext-allow" + second_target) + redirectUrl : (base_url + unique + second_target) }; } diff --git a/common/gen_unique.js b/common/gen_unique.js new file mode 100644 index 0000000..920426b --- /dev/null +++ b/common/gen_unique.js @@ -0,0 +1,32 @@ +/** +* Myext generating unique, per-site hash +* +* Copyright (C) 2021 Wojtek Kosior +* +* Dual-licensed under: +* - 0BSD license +* - GPLv3 or (at your option) any later version +*/ + +"use strict"; + +(() => { + const sha256 = window.sha256; + const browser = window.browser; + const is_chrome = window.is_chrome; + + function get_id() + { + if (is_chrome) + return browser.runtime.getManifest().key.substring(0, 50); + else + return browser.runtime.getURL("dummy"); + } + + function gen_unique(url) + { + return "#" + sha256(get_id() + url); + } + + window.gen_unique = gen_unique; +})(); diff --git a/background/sha256.js b/common/sha256.js index 271ec87..271ec87 100644 --- a/background/sha256.js +++ b/common/sha256.js diff --git a/background/url_item.js b/common/url_item.js index 7850871..7850871 100644 --- a/background/url_item.js +++ b/common/url_item.js diff --git a/content/main.js b/content/main.js index 282c7b5..c7f57bb 100644 --- a/content/main.js +++ b/content/main.js @@ -12,6 +12,8 @@ (() => { const handle_page_actions = window.handle_page_actions; + const url_item = window.url_item; + const gen_unique = window.gen_unique; var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/; var match = url_re.exec(document.URL); @@ -19,9 +21,13 @@ var first_target = match[3]; var second_target = match[4]; + // TODO: can be refactored *a little bit* with policy_smuggler.js + let url = url_item(document.URL); + let unique = gen_unique(url); + var block = true; if (first_target !== undefined && - first_target === "#myext-allow") { + first_target === unique) { block = false; console.log(["allowing", document.URL]); if (second_target !== undefined) diff --git a/manifest.json b/manifest.json index 85dde71..efdcba0 100644 --- a/manifest.json +++ b/manifest.json @@ -3,6 +3,18 @@ "name": "My extension", "short_name": "Myext", "version": "0.0.0", + /* + WARNING!!! + EACH USER SHOULD REPLACE "key" WITH UNIQUE VALUE!!! + OTHERWISE SECURITY CAN BE TRIVIALLY COMPROMISED! + + A unique key can be generated with: + $ ssh-keygen -f /path/to/new/key.pem -t rsa -b 1024 + + Only relevant to users of chrome-based browsers. + Users of FireFox forks are safe. + */ + "key": "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcnNhAAAAAwEAAQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAII4Dh7HOA4exwAAAAHc3NoLXJzYQAAAIEA+0GT5WNmRRo8e5tL9+BmNtY6aBPwLIgbPnLShYBMSR40iYwLTsccrkwBXb3bs1o4p6q5WJugI8Lsia+GXZc/XHGFkq7D1aWiTxlJLs8z0JC2TQ2/yatYmBMchogYGeeUfP7aI7JJZwpATts+VhIvgga/4FYj+DijMIEpwdckqFEAAAADAQABAAAAgEHB5/MhEKMFOs8e1cMJ97ZiWubiUPlWpcqyQmauLUj1nspg3JTBh8AWJEVkaxuFgU5gYCHQmRjC6yUdywyziOEkFA4r/WpX4WmbIe+GQHRHhitLN0dgF8N6/fVNOoa5StTdfZqyl23pVXyepoDNjrJFKyupqPMmpwfH5lGr9RwBAAAAQG76HflB/5j8P2YgIYX6dQT4Ei0SqiIjNVy7jFJUQDKSJg/PYkedE02JZJBJPcMYxEJUxXtMgq+upamNILfkmY0AAABBAP4v0O5dqjy16xDDFzb4DPNAcw5Za9KJaXKVkUuKXMNZOKTR0RC/upjNTmttY980RKdIx5zA25dO8cx563bSDIsAAABBAP0MaOpBiai/eRmLqhlthHODa+Mur6W3uc9PyhWhgDBjLNMR/doaYeyfVKxtIiN3a+HkN++G+vbokRweQv++bhMAAAANdXJ6QGxvY2FsaG9zdAECAwQFBg==", "author": "various", "description": "Kill the web&js", "applications": { @@ -52,6 +64,9 @@ "common/browser.js", "common/connection_types.js", "content/page_actions.js", + "common/url_item.js", + "common/sha256.js", + "common/gen_unique.js", "content/main.js" ] } |