Prevent URL leaks from media placeholders (thanks NDevTK for report).
This commit is contained in:
parent
137dd858a9
commit
1754429ea1
|
@ -95,7 +95,7 @@
|
|||
XSS.stop();
|
||||
}
|
||||
|
||||
Messages.addHandler(messageHandler);
|
||||
|
||||
|
||||
try {
|
||||
await Messages.send("started");
|
||||
|
@ -229,23 +229,20 @@
|
|||
type: "panel"
|
||||
});
|
||||
},
|
||||
async getTheme() {
|
||||
async getTheme(msg, {tab, frameId}) {
|
||||
try {
|
||||
browser.tabs.insertCSS(tab.id, {
|
||||
code: await Themes.getContentCSS(),
|
||||
frameId,
|
||||
runAt: "document_start",
|
||||
matchAboutBlank: true,
|
||||
cssOrigin: "user",
|
||||
});
|
||||
} catch (e) {
|
||||
console.error(e);
|
||||
}
|
||||
return (await Themes.isVintage()) ? "vintage" : "";
|
||||
},
|
||||
async fetchResource({url}) {
|
||||
url = browser.runtime.getURL(url);
|
||||
const blob = await (await fetch(url)).blob();
|
||||
return new Promise((resolve, reject) => {
|
||||
const reader = new FileReader();
|
||||
reader.onload = e => {
|
||||
resolve(reader.result);
|
||||
};
|
||||
reader.onerror = e => {
|
||||
reject(reader.error);
|
||||
};
|
||||
reader.readAsDataURL(blob);
|
||||
});
|
||||
},
|
||||
|
||||
async promptHook(msg, {tabId}) {
|
||||
await browser.tabs.executeScript(tabId, {
|
||||
|
@ -262,6 +259,7 @@
|
|||
await TabGuard.reloadNormally(tabId);
|
||||
}
|
||||
};
|
||||
Messages.addHandler(messageHandler);
|
||||
|
||||
function onSyncMessage(msg, sender) {
|
||||
switch(msg.id) {
|
||||
|
|
|
@ -62,6 +62,7 @@
|
|||
addEventListener("load", onload, true);
|
||||
}
|
||||
|
||||
let contentCSS;
|
||||
|
||||
let root = document.documentElement;
|
||||
root.classList.add(PARENT_CLASS);
|
||||
|
@ -141,6 +142,43 @@
|
|||
return b;
|
||||
},
|
||||
|
||||
async getContentCSS() {
|
||||
contentCSS = contentCSS || (async () => {
|
||||
const replaceAsync = async (string, regexp, replacerFunction) => {
|
||||
const replacements = await Promise.all(
|
||||
Array.from(string.matchAll(regexp),
|
||||
match => replacerFunction(...match)));
|
||||
let i = 0;
|
||||
return string.replace(regexp, () => replacements[i++]);
|
||||
}
|
||||
const fetchAsDataURL = async (url) => {
|
||||
const blob = await (await fetch(browser.runtime.getURL(url))).blob();
|
||||
return new Promise((resolve, reject) => {
|
||||
const reader = new FileReader();
|
||||
reader.onload = e => {
|
||||
resolve(reader.result);
|
||||
};
|
||||
reader.onerror = e => {
|
||||
reject(reader.error);
|
||||
};
|
||||
reader.readAsDataURL(blob);
|
||||
});
|
||||
}
|
||||
const fetchAsText = async (url) => await (await fetch(browser.runtime.getURL(url))).text();
|
||||
|
||||
const themesCSS = (await replaceAsync(await fetchAsText("/common/themes.css"),
|
||||
/(--img-logo:.*url\("?)(.*\.svg)"?/g,
|
||||
async (s, prop, url) => `${prop}"${await fetchAsDataURL(url)}"`
|
||||
))
|
||||
.replace(/.*\burl\(\.*\/.*\n/g, '')
|
||||
.replace(/\/\*[^]*?\*\//g, '')
|
||||
.replace(/\n+/g, "\n");
|
||||
return (await fetchAsText("/content/content.css"))
|
||||
.replace(/\b(THEMES_START\b.*\n)[^]*(\n.*\bTHEMES_END)\b/g,
|
||||
`$1${themesCSS}$2`);
|
||||
})();
|
||||
return await contentCSS;
|
||||
}
|
||||
};
|
||||
|
||||
(async () => {
|
||||
|
|
|
@ -4,6 +4,15 @@
|
|||
* SPDX-License-Identifier: GPL-3.0-or-later
|
||||
*/
|
||||
|
||||
/* THEMES_START */
|
||||
|
||||
/*
|
||||
This section gets replaced at runtime with an extract of /themes/themes.css
|
||||
stripped of all the references to extension URLs.
|
||||
*/
|
||||
|
||||
/* THEMES_END */
|
||||
|
||||
a.__NoScript_PlaceHolder__ {
|
||||
outline: 2px solid --var(--accent-color);
|
||||
color: var(--text-color) !important;
|
||||
|
@ -15,7 +24,7 @@ a.__NoScript_PlaceHolder__ {
|
|||
cursor: pointer;
|
||||
opacity: 0.8;
|
||||
z-index: 2147483647 !important;
|
||||
background-image: none;
|
||||
background-image: var(--img-logo);
|
||||
}
|
||||
|
||||
a.__NoScript_PlaceHolder__.mozilla {
|
||||
|
|
|
@ -73,15 +73,6 @@
|
|||
},
|
||||
|
||||
"content_scripts": [
|
||||
{
|
||||
"matches": ["<all_urls>"],
|
||||
"match_about_blank": true,
|
||||
"all_frames": true,
|
||||
"css": [
|
||||
"/common/themes.css",
|
||||
"/content/content.css"
|
||||
]
|
||||
},
|
||||
{
|
||||
"run_at": "document_start",
|
||||
"matches": ["<all_urls>"],
|
||||
|
|
2
src/nscl
2
src/nscl
|
@ -1 +1 @@
|
|||
Subproject commit ebfe3a58ef20aca92be24879348a0dc75b09b229
|
||||
Subproject commit 4c94bf24f117277f5c00878005d91d0d7aaa18e4
|
Loading…
Reference in New Issue