diff options
Diffstat (limited to 'content')
-rw-r--r-- | content/policy_enforcing.js | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/content/policy_enforcing.js b/content/policy_enforcing.js index 320b6d0..45529ea 100644 --- a/content/policy_enforcing.js +++ b/content/policy_enforcing.js @@ -159,6 +159,12 @@ function desanitize_script(script) { delete script.haketilo_blocked_type; } +/* + * Blocking certain attributes that might allow 'javascript:' URLs. Some of + * these are: <iframe>'s 'src' attributes (would normally execute js in URL upon + * frame's load), <object>'s 'data' attribute (would also execute upon load) and + * <a>'s 'href' attribute (would execute upon link click). + */ const bad_url_reg = /^data:([^,;]*ml|unknown-content-type)|^javascript:/i; function sanitize_element_urls(element) { if (element.haketilo_sanitized_urls) @@ -166,13 +172,37 @@ function sanitize_element_urls(element) { element.haketilo_sanitized_urls = true; + let some_attr_blocked = false; + for (const attr of [...element.attributes || []] .filter(attr => /^(href|src|data)$/i.test(attr.localName)) .filter(attr => bad_url_reg.test(attr.value))) { + /* + * Under some browsers (Mozilla) removing attributes doesn't stop their + * javascript from executing, but replacing them does. For 'src' and + * 'data' I chose to replace the attribute with a 'data:' URL and have + * it replace bad <iframe>'s/<object>'s contents with a "blocked" + * string. For 'href' (which appears on <a>'s) I chose to use a + * 'javascript:' URL to avoid having the page reloaded upon a link + * click. + */ const replacement_value = /^href$/i.test(attr.localName) ? - "javascript:void('blocked');" : "data:text/plain,blocked"; + "javascript:void('blocked');" : "data:text/plain,blocked"; + some_attr_blocked = true; block_attribute(element, attr.localName, attr.namespaceURI, - replacement_value); + replacement_value); + } + + /* + * Trial and error shows that under certain browsers additional element + * removal and re-addition might be necessary to prevent execution of a + * 'javascript:' URL (Parabola's Iceweasel 75 requires it for 'src' URL of + * an <iframe>). + */ + if (some_attr_blocked) { + const replacement_elem = document.createElement("a"); + element.replaceWith(replacement_elem); + replacement_elem.replaceWith(element); } } @@ -189,8 +219,10 @@ function sanitize_element_onevent(element) { continue; /* - * Guard against redefined getter on DOM object property. This should - * not be an issue */ + * Guard against redefined getter on DOM object property. This is a + * supplemental security measure since page's own scripts should be + * blocked and unable to redefine properties, anyway. + */ if (Object.getOwnPropertyDescriptor(element.wrappedJSObject, attr)) { console.error("Redefined property on a DOM object! The page might have bypassed our script blocking measures!"); continue; |