From edbbe4002dadd31fd7eab0522a953e1b1b435767 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 28 Jun 2021 00:00:00 +0000 Subject: License script-blocking techniques from NoScript in machine-readable format. In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete. --- TODOS.org | 13 ++++++++----- content/main.js | 28 ++++++---------------------- copyright | 22 +++++++++++++++++++++- manifest.json | 1 + 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/TODOS.org b/TODOS.org index 8fe65d2..63f7985 100644 --- a/TODOS.org +++ b/TODOS.org @@ -19,13 +19,10 @@ TODO: - add some nice styling to settings page - make script bag components re-orderable (via drag&drop in options page) -- CRUCIAL - find some way not to require each chrome user to modify manifest.json -- rename the extension to something good - test with more browser forks (Abrowser, Parabola IceWeasel, LibreWolf) - also see if browsers based on pre-quantum FF support enough of WebExtensions for easy porting - make sure page's own csp in doesn't block our scripts -- make blocking more torough -- CRUCIAL - - mind the data: urls -- CRUCIAL - find out how and make it possible to whitelist non-https urls and whether we can inject csp to them - create a repository to host scripts @@ -47,11 +44,17 @@ TODO: - make extension's all html files proper XHTML - split options_main.js into several smaller files - validate settings data on import -- find some good hatchet icon and rename the extension to "Hachette" (unless - someone suggests another good name before we do so) +- rename the extension to something good + - find some good hatchet icon and rename the extension to "Hachette" + (unless someone suggests another good name before we do so) - add an option to disable script blocking globally +- Add support to settings_query for non-standard URLs + (e.g. file:// and about:) +- Process HTML files in data: URLs instead of just blocking them DONE: +- make blocking more torough -- DONE 2021-06-28 + - mind the data: urls -- CRUCIAL - employ copyright file in Debian format -- DONE 2021-06-25 - find out what causes storage sometimes not to get initialized under IceCat 60 -- DONE 2021-06-23 - make it possible to export page settings in some format -- DONE 2021-06-19 diff --git a/content/main.js b/content/main.js index 4eea6be..2a46c7e 100644 --- a/content/main.js +++ b/content/main.js @@ -11,6 +11,7 @@ const handle_page_actions = window.handle_page_actions; const url_item = window.url_item; const gen_unique = window.gen_unique; + const sanitize_attributes = window.sanitize_attributes; /* * Due to some technical limitations the chosen method of whitelisting sites @@ -26,6 +27,8 @@ let url = url_item(document.URL); let unique = gen_unique(url); let nonce = unique.substring(1); + + const scriptSuppressor = window.scriptSuppressor(nonce); function needs_blocking() { @@ -105,29 +108,10 @@ script-src-elem 'nonce-${nonce}';\ node.appendChild(meta); } - function sanitize_attributes(node) - { - if (node.attributes === undefined) - return; - - /* - * We have to do it in 2 loops, removing attribute modifies - * our iterator - */ - let attr_names = []; - for (let attr of node.attributes) { - let attr_name = attr.localName; - if (attr_name.startsWith("on")) - attr_names.push(attr_name); - } - - for (let attr_name of attr_names) { - node.removeAttribute(attr_name); - console.log("sanitized", attr_name); - } - } - if (needs_blocking()) { + // Script blocking for Gecko + addEventListener('beforescriptexecute', scriptSuppressor, true); + var observer = new MutationObserver(handle_mutation); observer.observe(document.documentElement, { attributes: true, diff --git a/copyright b/copyright index f7412db..5dce864 100644 --- a/copyright +++ b/copyright @@ -42,6 +42,11 @@ License: Expat OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +Files: content/freezer.js +Copyright: 2005-2021 Giorgio Maone - https://maone.net + 2021 jahoti +License: GPL-2+ + Files: licenses/* Copyright: 2001, 2002, 2011-2013 Creative Commons License: CC-BY-4.0 @@ -54,7 +59,7 @@ License: CC0 and public-domain License: CC0 See `licenses/cc0.txt' -Files: licenses/gpl-3.0.txt +Files: licenses/gpl-2.txt licenses/gpl-3.0.txt Copyright: 2007 Free Software Foundation, Inc. License: no-changing Everyone is permitted to copy and distribute verbatim copies of @@ -100,6 +105,21 @@ License: Alicense-1.0 Also see `https://koszko.org/en/articles/my-new-license.html' for more explanation. +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + License: CC-BY-SA-4.0 See `licenses/cc-by-sa-4.0.txt' diff --git a/manifest.json b/manifest.json index 9487d25..3984dc6 100644 --- a/manifest.json +++ b/manifest.json @@ -81,6 +81,7 @@ "match_about_blank": true, "all_frames": true, "js": [ + "content/freezer.js", "common/browser.js", "common/connection_types.js", "content/page_actions.js", -- cgit v1.2.3