LAN capability to check for cross-zone WAN to LAN requests (thanks barbaz for ABE webext contributions).

This commit is contained in:
hackademix 2022-02-15 01:04:43 +01:00
parent 78609bb065
commit 5fd9b64960
4 changed files with 38 additions and 13 deletions

View File

@ -563,6 +563,9 @@
"cap_unchecked_css": {
"message": "unrestricted CSS"
},
"cap_lan": {
"message": "LAN"
},
"cap_other": {
"message": "other"
},

View File

@ -408,12 +408,31 @@ var RequestGuard = (() => {
}
};
const listeners = {
onBeforeRequest(request) {
async onBeforeRequest(request) {
normalizeRequest(request);
try {
let redirected = initPendingRequest(request);
let {policy} = ns
let {type} = request;
let {type, url, originUrl, tabId} = request;
if (type === "xmlhttprequest" &&
browser.runtime.onSyncMessage &&
url.startsWith(browser.runtime.onSyncMessage.ENDPOINT_PREFIX)) {
return ALLOW;
}
let enforced = ns.isEnforced(tabId);
// check cross-zone WAN->LAN requests
if (enforced && originUrl && !Sites.isInternal(originUrl) && url.startsWith("http") &&
!policy.can(originUrl, "lan", ns.policyContext(request)) &&
(await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl))) {
debug("WAN->LAN request blocked", request);
let r = Object.assign({}, request);
r.url = originUrl; // we want to report the origin as needing the permission
Content.reportTo(r, false, "lan")
return ABORT;
}
if (type in policyTypesMap) {
let previous = recent.find(request);
if (previous) {
@ -424,19 +443,18 @@ var RequestGuard = (() => {
recent.add(previous);
let policyType = policyTypesMap[type];
let {url, originUrl, documentUrl, tabId} = request;
let {documentUrl} = request;
if (!enforced) {
if (ns.unrestrictedTabs.has(tabId) && type.endsWith("frame") && url.startsWith("https:")) {
TabStatus.addOrigin(tabId, url);
}
return ALLOW;
}
let isFetch = "fetch" === policyType;
if ((isFetch || "frame" === policyType) &&
(((isFetch && (!originUrl ||
browser.runtime.onSyncMessage &&
url.startsWith(browser.runtime.onSyncMessage.ENDPOINT_PREFIX)
) || url === originUrl) && originUrl === documentUrl
(((isFetch && !originUrl
|| url === originUrl) && originUrl === documentUrl
// some extensions make them both undefined,
// see https://github.com/eight04/image-picka/issues/150
) ||
@ -451,7 +469,7 @@ var RequestGuard = (() => {
request.url = url = documentUrl || originUrl;
}
let allowed = Sites.isInternal(url) || !ns.isEnforced(tabId);
let allowed = Sites.isInternal(url);
if (!allowed) {
if (tabId < 0 && documentUrl && documentUrl.startsWith("https:")) {
allowed = [...ns.unrestrictedTabs]

View File

@ -28,6 +28,7 @@
"webNavigation",
"webRequest",
"webRequestBlocking",
"dns",
"<all_urls>"
],
@ -53,6 +54,9 @@
"/nscl/common/locale.js",
"/nscl/common/Storage.js",
"/nscl/common/include.js",
"/nscl/common/DNS.js",
"/nscl/common/AddressMatcherWithDNS.js",
"/nscl/common/iputil.js",
"/nscl/service/DocStartInjection.js",
"/nscl/service/LastListener.js",
"/nscl/service/TabCache.js",

@ -1 +1 @@
Subproject commit ea55fd9a837c5797099671386b0589159ad25328
Subproject commit 7f2c37284c54c243afd6e4b7d9f3cb6952c149bd