Prevent URL leaks from media placeholders (thanks NDevTK for report).

This commit is contained in:
hackademix 2023-10-07 23:01:44 +02:00
parent 137dd858a9
commit 1754429ea1
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
5 changed files with 63 additions and 27 deletions

View File

@ -95,7 +95,7 @@
XSS.stop();
}
Messages.addHandler(messageHandler);
try {
await Messages.send("started");
@ -229,23 +229,20 @@
type: "panel"
});
},
async getTheme() {
async getTheme(msg, {tab, frameId}) {
try {
browser.tabs.insertCSS(tab.id, {
code: await Themes.getContentCSS(),
frameId,
runAt: "document_start",
matchAboutBlank: true,
cssOrigin: "user",
});
} catch (e) {
console.error(e);
}
return (await Themes.isVintage()) ? "vintage" : "";
},
async fetchResource({url}) {
url = browser.runtime.getURL(url);
const blob = await (await fetch(url)).blob();
return new Promise((resolve, reject) => {
const reader = new FileReader();
reader.onload = e => {
resolve(reader.result);
};
reader.onerror = e => {
reject(reader.error);
};
reader.readAsDataURL(blob);
});
},
async promptHook(msg, {tabId}) {
await browser.tabs.executeScript(tabId, {
@ -262,6 +259,7 @@
await TabGuard.reloadNormally(tabId);
}
};
Messages.addHandler(messageHandler);
function onSyncMessage(msg, sender) {
switch(msg.id) {

View File

@ -62,6 +62,7 @@
addEventListener("load", onload, true);
}
let contentCSS;
let root = document.documentElement;
root.classList.add(PARENT_CLASS);
@ -141,6 +142,43 @@
return b;
},
async getContentCSS() {
contentCSS = contentCSS || (async () => {
const replaceAsync = async (string, regexp, replacerFunction) => {
const replacements = await Promise.all(
Array.from(string.matchAll(regexp),
match => replacerFunction(...match)));
let i = 0;
return string.replace(regexp, () => replacements[i++]);
}
const fetchAsDataURL = async (url) => {
const blob = await (await fetch(browser.runtime.getURL(url))).blob();
return new Promise((resolve, reject) => {
const reader = new FileReader();
reader.onload = e => {
resolve(reader.result);
};
reader.onerror = e => {
reject(reader.error);
};
reader.readAsDataURL(blob);
});
}
const fetchAsText = async (url) => await (await fetch(browser.runtime.getURL(url))).text();
const themesCSS = (await replaceAsync(await fetchAsText("/common/themes.css"),
/(--img-logo:.*url\("?)(.*\.svg)"?/g,
async (s, prop, url) => `${prop}"${await fetchAsDataURL(url)}"`
))
.replace(/.*\burl\(\.*\/.*\n/g, '')
.replace(/\/\*[^]*?\*\//g, '')
.replace(/\n+/g, "\n");
return (await fetchAsText("/content/content.css"))
.replace(/\b(THEMES_START\b.*\n)[^]*(\n.*\bTHEMES_END)\b/g,
`$1${themesCSS}$2`);
})();
return await contentCSS;
}
};
(async () => {

View File

@ -4,6 +4,15 @@
* SPDX-License-Identifier: GPL-3.0-or-later
*/
/* THEMES_START */
/*
This section gets replaced at runtime with an extract of /themes/themes.css
stripped of all the references to extension URLs.
*/
/* THEMES_END */
a.__NoScript_PlaceHolder__ {
outline: 2px solid --var(--accent-color);
color: var(--text-color) !important;
@ -15,7 +24,7 @@ a.__NoScript_PlaceHolder__ {
cursor: pointer;
opacity: 0.8;
z-index: 2147483647 !important;
background-image: none;
background-image: var(--img-logo);
}
a.__NoScript_PlaceHolder__.mozilla {

View File

@ -73,15 +73,6 @@
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"match_about_blank": true,
"all_frames": true,
"css": [
"/common/themes.css",
"/content/content.css"
]
},
{
"run_at": "document_start",
"matches": ["<all_urls>"],

@ -1 +1 @@
Subproject commit ebfe3a58ef20aca92be24879348a0dc75b09b229
Subproject commit 4c94bf24f117277f5c00878005d91d0d7aaa18e4