summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/policy_enforcing.js40
1 files changed, 36 insertions, 4 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js
index 320b6d0..45529ea 100644
--- a/content/policy_enforcing.js
+++ b/content/policy_enforcing.js
@@ -159,6 +159,12 @@ function desanitize_script(script) {
delete script.haketilo_blocked_type;
}
+/*
+ * Blocking certain attributes that might allow 'javascript:' URLs. Some of
+ * these are: <iframe>'s 'src' attributes (would normally execute js in URL upon
+ * frame's load), <object>'s 'data' attribute (would also execute upon load) and
+ * <a>'s 'href' attribute (would execute upon link click).
+ */
const bad_url_reg = /^data:([^,;]*ml|unknown-content-type)|^javascript:/i;
function sanitize_element_urls(element) {
if (element.haketilo_sanitized_urls)
@@ -166,13 +172,37 @@ function sanitize_element_urls(element) {
element.haketilo_sanitized_urls = true;
+ let some_attr_blocked = false;
+
for (const attr of [...element.attributes || []]
.filter(attr => /^(href|src|data)$/i.test(attr.localName))
.filter(attr => bad_url_reg.test(attr.value))) {
+ /*
+ * Under some browsers (Mozilla) removing attributes doesn't stop their
+ * javascript from executing, but replacing them does. For 'src' and
+ * 'data' I chose to replace the attribute with a 'data:' URL and have
+ * it replace bad <iframe>'s/<object>'s contents with a "blocked"
+ * string. For 'href' (which appears on <a>'s) I chose to use a
+ * 'javascript:' URL to avoid having the page reloaded upon a link
+ * click.
+ */
const replacement_value = /^href$/i.test(attr.localName) ?
- "javascript:void('blocked');" : "data:text/plain,blocked";
+ "javascript:void('blocked');" : "data:text/plain,blocked";
+ some_attr_blocked = true;
block_attribute(element, attr.localName, attr.namespaceURI,
- replacement_value);
+ replacement_value);
+ }
+
+ /*
+ * Trial and error shows that under certain browsers additional element
+ * removal and re-addition might be necessary to prevent execution of a
+ * 'javascript:' URL (Parabola's Iceweasel 75 requires it for 'src' URL of
+ * an <iframe>).
+ */
+ if (some_attr_blocked) {
+ const replacement_elem = document.createElement("a");
+ element.replaceWith(replacement_elem);
+ replacement_elem.replaceWith(element);
}
}
@@ -189,8 +219,10 @@ function sanitize_element_onevent(element) {
continue;
/*
- * Guard against redefined getter on DOM object property. This should
- * not be an issue */
+ * Guard against redefined getter on DOM object property. This is a
+ * supplemental security measure since page's own scripts should be
+ * blocked and unable to redefine properties, anyway.
+ */
if (Object.getOwnPropertyDescriptor(element.wrappedJSObject, attr)) {
console.error("Redefined property on a DOM object! The page might have bypassed our script blocking measures!");
continue;