LAN capability to check for cross-zone WAN to LAN requests (thanks barbaz for ABE webext contributions).
This commit is contained in:
hackademix
parent
78609bb065
commit
5fd9b64960
|
|
@ -563,6 +563,9 @@
|
|||
"cap_unchecked_css": {
|
||||
"message": "unrestricted CSS"
|
||||
},
|
||||
"cap_lan": {
|
||||
"message": "LAN"
|
||||
},
|
||||
"cap_other": {
|
||||
"message": "other"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -408,12 +408,31 @@ var RequestGuard = (() => {
|
|||
}
|
||||
};
|
||||
const listeners = {
|
||||
onBeforeRequest(request) {
|
||||
async onBeforeRequest(request) {
|
||||
normalizeRequest(request);
|
||||
try {
|
||||
let redirected = initPendingRequest(request);
|
||||
let {policy} = ns
|
||||
let {type} = request;
|
||||
let {type, url, originUrl, tabId} = request;
|
||||
|
||||
if (type === "xmlhttprequest" &&
|
||||
browser.runtime.onSyncMessage &&
|
||||
url.startsWith(browser.runtime.onSyncMessage.ENDPOINT_PREFIX)) {
|
||||
return ALLOW;
|
||||
}
|
||||
let enforced = ns.isEnforced(tabId);
|
||||
// check cross-zone WAN->LAN requests
|
||||
if (enforced && originUrl && !Sites.isInternal(originUrl) && url.startsWith("http") &&
|
||||
!policy.can(originUrl, "lan", ns.policyContext(request)) &&
|
||||
(await iputil.isLocalURI(url)) && !(await iputil.isLocalURI(originUrl))) {
|
||||
|
||||
debug("WAN->LAN request blocked", request);
|
||||
let r = Object.assign({}, request);
|
||||
r.url = originUrl; // we want to report the origin as needing the permission
|
||||
Content.reportTo(r, false, "lan")
|
||||
return ABORT;
|
||||
}
|
||||
|
||||
if (type in policyTypesMap) {
|
||||
let previous = recent.find(request);
|
||||
if (previous) {
|
||||
|
|
@ -424,19 +443,18 @@ var RequestGuard = (() => {
|
|||
recent.add(previous);
|
||||
|
||||
let policyType = policyTypesMap[type];
|
||||
let {url, originUrl, documentUrl, tabId} = request;
|
||||
|
||||
let {documentUrl} = request;
|
||||
if (!enforced) {
|
||||
if (ns.unrestrictedTabs.has(tabId) && type.endsWith("frame") && url.startsWith("https:")) {
|
||||
TabStatus.addOrigin(tabId, url);
|
||||
}
|
||||
|
||||
return ALLOW;
|
||||
}
|
||||
let isFetch = "fetch" === policyType;
|
||||
|
||||
if ((isFetch || "frame" === policyType) &&
|
||||
(((isFetch && (!originUrl ||
|
||||
browser.runtime.onSyncMessage &&
|
||||
url.startsWith(browser.runtime.onSyncMessage.ENDPOINT_PREFIX)
|
||||
) || url === originUrl) && originUrl === documentUrl
|
||||
(((isFetch && !originUrl
|
||||
|| url === originUrl) && originUrl === documentUrl
|
||||
// some extensions make them both undefined,
|
||||
// see https://github.com/eight04/image-picka/issues/150
|
||||
) ||
|
||||
|
|
@ -451,7 +469,7 @@ var RequestGuard = (() => {
|
|||
request.url = url = documentUrl || originUrl;
|
||||
}
|
||||
|
||||
let allowed = Sites.isInternal(url) || !ns.isEnforced(tabId);
|
||||
let allowed = Sites.isInternal(url);
|
||||
if (!allowed) {
|
||||
if (tabId < 0 && documentUrl && documentUrl.startsWith("https:")) {
|
||||
allowed = [...ns.unrestrictedTabs]
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
"webNavigation",
|
||||
"webRequest",
|
||||
"webRequestBlocking",
|
||||
"dns",
|
||||
"<all_urls>"
|
||||
],
|
||||
|
||||
|
|
@ -53,6 +54,9 @@
|
|||
"/nscl/common/locale.js",
|
||||
"/nscl/common/Storage.js",
|
||||
"/nscl/common/include.js",
|
||||
"/nscl/common/DNS.js",
|
||||
"/nscl/common/AddressMatcherWithDNS.js",
|
||||
"/nscl/common/iputil.js",
|
||||
"/nscl/service/DocStartInjection.js",
|
||||
"/nscl/service/LastListener.js",
|
||||
"/nscl/service/TabCache.js",
|
||||
|
|
|
|||
2
src/nscl
2
src/nscl
|
|
@ -1 +1 @@
|
|||
Subproject commit ea55fd9a837c5797099671386b0589159ad25328
|
||||
Subproject commit 7f2c37284c54c243afd6e4b7d9f3cb6952c149bd
|
||||
Loading…
Reference in New Issue