diff options
Diffstat (limited to 'content')
| -rw-r--r-- | content/freezer.js | 2 | ||||
| -rw-r--r-- | content/main.js | 31 | ||||
| -rw-r--r-- | content/page_actions.js | 1 |
3 files changed, 18 insertions, 16 deletions
diff --git a/content/freezer.js b/content/freezer.js index 8e543a6..9dbc95e 100644 --- a/content/freezer.js +++ b/content/freezer.js @@ -49,7 +49,7 @@ function mozilla_suppress_scripts(e) { console.log('Script suppressor has detached.'); return; } - else if (e.isTrusted) { // Prevent blocking of injected scripts + if (e.isTrusted && !e.target._hachette_payload) { e.preventDefault(); console.log('Suppressed script', e.target); } diff --git a/content/main.js b/content/main.js index a5e04fd..af8cd7c 100644 --- a/content/main.js +++ b/content/main.js @@ -11,7 +11,6 @@ * IMPORT handle_page_actions * IMPORT url_item * IMPORT url_extract_target - * IMPORT url_extract_policy * IMPORT gen_unique * IMPORT gen_nonce * IMPORT csp_rule @@ -27,14 +26,16 @@ /* * Due to some technical limitations the chosen method of whitelisting sites * is to smuggle whitelist indicator in page's url as a "magical" string - * after '#'. Right now this is not needed in HTTP(s) pages where native - * script blocking happens through CSP header injection but is needed for - * protocols like ftp:// and file://. + * after '#'. Right now this is only supplemental in HTTP(s) pages where + * blocking of native scripts also happens through CSP header injection but is + * necessary for protocols like ftp:// and file://. * * The code that actually injects the magical string into ftp:// and file:// * urls has not yet been added to the extension. */ +var nonce = undefined; + function handle_mutation(mutations, observer) { if (document.readyState === 'complete') { @@ -58,9 +59,8 @@ function block_nodes_recursively(node) function block_node(node) { /* - * Modifying <script> element doesn't always prevent its - * execution in some Mozilla browsers. Additional blocking - * through CSP meta tag injection is required. + * Modifying <script> element doesn't always prevent its execution in some + * Mozilla browsers. This is Chromium-specific code. */ if (node.tagName === "SCRIPT") { block_script(node); @@ -99,21 +99,20 @@ function inject_csp(head) } if (!is_privileged_url(document.URL)) { - const targets = url_extract_policy(document.URL); + const targets = url_extract_target(document.URL); if (targets.policy) { - if (targets.target2 !== undefined) + if (targets.target2) window.location.href = targets.base_url + targets.target2; else history.replaceState(null, "", targets.base_url); } - - targets.policy = targets.current ? targets.policy : {}; - - const nonce = targets.policy.nonce || gen_nonce(); - start_activity_info_server(); + + const policy = targets.current ? targets.policy : {}; + + nonce = policy.nonce || gen_nonce(); handle_page_actions(nonce); - if (!targets.policy.allow) { + if (!policy.allow) { block_nodes_recursively(document.documentElement); if (is_chrome) { @@ -128,4 +127,6 @@ if (!is_privileged_url(document.URL)) { if (is_mozilla) addEventListener('beforescriptexecute', mozilla_suppress_scripts, true); } + + start_activity_info_server(); } diff --git a/content/page_actions.js b/content/page_actions.js index fd405fe..75cc4d9 100644 --- a/content/page_actions.js +++ b/content/page_actions.js @@ -50,6 +50,7 @@ function add_script(script_text) let script = document.createElement("script"); script.textContent = script_text; script.setAttribute("nonce", nonce); + script._hachette_payload = true; document.body.appendChild(script); report_script(script_text); |