From edbbe4002dadd31fd7eab0522a953e1b1b435767 Mon Sep 17 00:00:00 2001 From: jahoti Date: Mon, 28 Jun 2021 00:00:00 +0000 Subject: License script-blocking techniques from NoScript in machine-readable format. In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete. --- content/main.js | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) (limited to 'content') diff --git a/content/main.js b/content/main.js index 4eea6be..2a46c7e 100644 --- a/content/main.js +++ b/content/main.js @@ -11,6 +11,7 @@ const handle_page_actions = window.handle_page_actions; const url_item = window.url_item; const gen_unique = window.gen_unique; + const sanitize_attributes = window.sanitize_attributes; /* * Due to some technical limitations the chosen method of whitelisting sites @@ -26,6 +27,8 @@ let url = url_item(document.URL); let unique = gen_unique(url); let nonce = unique.substring(1); + + const scriptSuppressor = window.scriptSuppressor(nonce); function needs_blocking() { @@ -105,29 +108,10 @@ script-src-elem 'nonce-${nonce}';\ node.appendChild(meta); } - function sanitize_attributes(node) - { - if (node.attributes === undefined) - return; - - /* - * We have to do it in 2 loops, removing attribute modifies - * our iterator - */ - let attr_names = []; - for (let attr of node.attributes) { - let attr_name = attr.localName; - if (attr_name.startsWith("on")) - attr_names.push(attr_name); - } - - for (let attr_name of attr_names) { - node.removeAttribute(attr_name); - console.log("sanitized", attr_name); - } - } - if (needs_blocking()) { + // Script blocking for Gecko + addEventListener('beforescriptexecute', scriptSuppressor, true); + var observer = new MutationObserver(handle_mutation); observer.observe(document.documentElement, { attributes: true, -- cgit v1.2.3