diff options
Diffstat (limited to 'content')
-rw-r--r-- | content/freezer.js | 2 | ||||
-rw-r--r-- | content/main.js | 73 | ||||
-rw-r--r-- | content/page_actions.js | 5 |
3 files changed, 27 insertions, 53 deletions
diff --git a/content/freezer.js b/content/freezer.js index 8e543a6..9dbc95e 100644 --- a/content/freezer.js +++ b/content/freezer.js @@ -49,7 +49,7 @@ function mozilla_suppress_scripts(e) { console.log('Script suppressor has detached.'); return; } - else if (e.isTrusted) { // Prevent blocking of injected scripts + if (e.isTrusted && !e.target._hachette_payload) { e.preventDefault(); console.log('Suppressed script', e.target); } diff --git a/content/main.js b/content/main.js index b044c82..af8cd7c 100644 --- a/content/main.js +++ b/content/main.js @@ -8,7 +8,6 @@ /* * IMPORTS_START - * IMPORT CONNECTION_TYPE * IMPORT handle_page_actions * IMPORT url_item * IMPORT url_extract_target @@ -18,7 +17,6 @@ * IMPORT is_privileged_url * IMPORT sanitize_attributes * IMPORT mozilla_suppress_scripts - * IMPORT browser * IMPORT is_chrome * IMPORT is_mozilla * IMPORT start_activity_info_server @@ -28,39 +26,15 @@ /* * Due to some technical limitations the chosen method of whitelisting sites * is to smuggle whitelist indicator in page's url as a "magical" string - * after '#'. Right now this is not needed in HTTP(s) pages where native - * script blocking happens through CSP header injection but is needed for - * protocols like ftp:// and file://. + * after '#'. Right now this is only supplemental in HTTP(s) pages where + * blocking of native scripts also happens through CSP header injection but is + * necessary for protocols like ftp:// and file://. * * The code that actually injects the magical string into ftp:// and file:// * urls has not yet been added to the extension. */ -let url = url_item(document.URL); -let unique = gen_unique(url); - - -function is_http() -{ - return !!/^https?:\/\//i.exec(document.URL); -} - -function is_whitelisted() -{ - const parsed_url = url_extract_target(document.URL); - - if (parsed_url.target !== undefined && - parsed_url.target === '#' + unique) { - if (parsed_url.target2 !== undefined) - window.location.href = parsed_url.base_url + parsed_url.target2; - else - history.replaceState(null, "", parsed_url.base_url); - - return true; - } - - return false; -} +var nonce = undefined; function handle_mutation(mutations, observer) { @@ -85,9 +59,8 @@ function block_nodes_recursively(node) function block_node(node) { /* - * Modifying <script> element doesn't always prevent its - * execution in some Mozilla browsers. Additional blocking - * through CSP meta tag injection is required. + * Modifying <script> element doesn't always prevent its execution in some + * Mozilla browsers. This is Chromium-specific code. */ if (node.tagName === "SCRIPT") { block_script(node); @@ -126,24 +99,20 @@ function inject_csp(head) } if (!is_privileged_url(document.URL)) { - start_activity_info_server(); - var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS}); - - if (is_http()) { - /* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */ - const nonce_capturer = msg => { - port.onMessage.removeListener(nonce_capturer); - handle_page_actions(msg[1], port); - }; - - port.onMessage.addListener(nonce_capturer); - - } else if (is_whitelisted()) { - /* do not block scripts at all; as a result, there is no need for a green-lighted nonce */ - handle_page_actions(null, port); - } else { - nonce = gen_nonce(); - handle_page_actions(nonce, port); + const targets = url_extract_target(document.URL); + if (targets.policy) { + if (targets.target2) + window.location.href = targets.base_url + targets.target2; + else + history.replaceState(null, "", targets.base_url); + } + + const policy = targets.current ? targets.policy : {}; + + nonce = policy.nonce || gen_nonce(); + handle_page_actions(nonce); + + if (!policy.allow) { block_nodes_recursively(document.documentElement); if (is_chrome) { @@ -158,4 +127,6 @@ if (!is_privileged_url(document.URL)) { if (is_mozilla) addEventListener('beforescriptexecute', mozilla_suppress_scripts, true); } + + start_activity_info_server(); } diff --git a/content/page_actions.js b/content/page_actions.js index dff5f71..75cc4d9 100644 --- a/content/page_actions.js +++ b/content/page_actions.js @@ -7,6 +7,7 @@ /* * IMPORTS_START + * IMPORT CONNECTION_TYPE * IMPORT browser * IMPORT report_script * IMPORT report_settings @@ -49,13 +50,15 @@ function add_script(script_text) let script = document.createElement("script"); script.textContent = script_text; script.setAttribute("nonce", nonce); + script._hachette_payload = true; document.body.appendChild(script); report_script(script_text); } -function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js +function handle_page_actions(script_nonce) { document.addEventListener("DOMContentLoaded", document_loaded); + port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS}); port.onMessage.addListener(handle_message); port.postMessage({url: document.URL}); |