Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disable scripting in HTML-embedding objects where webglHook cannot run, if webgl not allowed.

This commit is contained in:
hackademix 2018-07-26 23:23:11 +02:00
parent 4e62643b33
commit 21810063d0
5 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/bg/RequestGuard.js
View File

@ -390,8 +390,17 @@ var RequestGuard = (() => {
if (policy.autoAllowTop && request.type === "main_frame" && perms === policy.DEFAULT) {
policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
}
let {capabilities} = perms;
let isObject = request.type === "object";
if (isObject && !capabilities.has("webgl")) { // we can't inject webglHook
debug("Disabling scripts in object %s to prevent webgl abuse", url);
capabilities = new Set(capabilities);
capabilities.delete("script");
let r = Object.assign({}, request, {type: "webgl"});
TabStatus.record(r, "blocked");
Content.reportTo(r, false, "webgl");
}
let canScript = capabilities.has("script");
let blockedTypes;
@ -419,7 +428,7 @@ var RequestGuard = (() => {
blocker = CSP.createBlocker(...blockedTypes);
}
if (canScript) {
if (canScript && !isObject) {
if (!capabilities.has("webgl")) {
RequestUtil.executeOnStart(request, {
file: "/content/webglHook.js"
@ -427,7 +436,7 @@ var RequestGuard = (() => {
}
if (!capabilities.has("media")) {
RequestUtil.executeOnStart(request, {
code: "window.mediaBlocker = correctFrame();"
code: "window.mediaBlocker = true;"
});
}

12
src/bg/RequestUtil.js
View File

@ -24,14 +24,13 @@
let scripts = pendingScripts.get(requestId);
if (!scripts) return -1;
pendingScripts.delete(requestId);
let where = type === "object" ? {allFrames: true} : {frameId};
let count = 0;
let run = async details => {
details = Object.assign({
runAt: "document_start",
matchAboutBlank: true,
}, details, where);
frameId
}, details);
try {
let res;
for (let attempts = 10; attempts-- > 0;) {
@ -49,17 +48,14 @@
error(e, "Execute on start failed", url, details);
}
};
await run({code: `void(window.correctFrame = () => "${url}" === document.URL && document.readyState === "loading")`});
await Promise.all([...scripts.values()].map(run));
await run({code: `void(window.correctFrame = () => false)`});
return count;
};
{
let filter = {
urls: ["<all_urls>"],
types: ["main_frame", "sub_frame", "object"]
types: ["main_frame", "sub_frame"]
};
let wr = browser.webRequest;
for (let event of ["onCompleted", "onErrorOccurred"]) {
@ -81,7 +77,7 @@
executeOnStart(request, details) {
let {requestId, url, tabId, frameId, statusCode, type} = request;
if (statusCode >= 300 && statusCode < 400) return;
if (statusCode >= 300 && statusCode < 400 || type === "object") return;
if (frameId === 0) {
let key = tabKey(tabId, url);
debug("Checking whether %s is a reloading tab...", key);

4
src/content/content.js
View File

@ -100,8 +100,8 @@ async function init(oldPage = false) {
}
queryingCanScript = true;
debug(`init() called in document %s, contentType %s readyState %s`,
document.URL, document.contentType, document.readyState);
debug(`init() called in document %s, contentType %s readyState %s, frameElement %o`,
document.URL, document.contentType, document.readyState, window.frameElement && frameElement.data);
try {
let {canScript, shouldScript} = await browser.runtime.sendMessage({type: "canScript"});

2
src/content/media.js
View File

@ -1,4 +1,4 @@
if (correctFrame()) {
{
debug("Media Hook (blocked %s)", !!window.mediaBlocker, document.URL, document.documentElement && document.documentElement.innerHTML);
(() => {
let unpatched = new Map();

2
src/content/webglHook.js
View File

@ -1,4 +1,4 @@
if (correctFrame()) {
{
debug("WebGL Hook", document.URL, document.documentElement && document.documentElement.innerHTML);
let proto = HTMLCanvasElement.prototype;
let getContext = proto.getContext;