Prefetch all CSS subresources (1st party included) in private contexts where both unchecked_css and scripting capabilities are disabled.

This commit is contained in:
hackademix 2024-08-22 21:59:25 +02:00
parent f5cf60b4a9
commit 7a283af996
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
1 changed files with 12 additions and 5 deletions

View File

@ -183,10 +183,17 @@ ns.on("capabilities", () => {
allowed: ns.canScript
});
if (!(ns.policy.isTorBrowser || ns.allows("unchecked_css"))) {
// protection against CSS PP0, not needed on the Tor Browser because of its
// noisy DNS resolution: https://orenlab.sise.bgu.ac.il/p/PP0
let prefetchCallback =
if (!ns.allows("unchecked_css")) {
// protection against CSS PP0 (https://orenlab.sise.bgu.ac.il/p/PP0)
// In Tor Browser / private windows, with scripts disabled,
// preload also 1st party CSS resources in order to mitigate
// scriptless user interaction tracking.
// See https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42829
const only3rdParty = ns.canScript || !browser.extension.inIncognitoContext;
const prefetchCallback =
// false && // REL_ONLY
(location.hostname === 'localhost' && location.search.includes("debug_prefetch"))
? (rule, url) => {
@ -194,7 +201,7 @@ ns.on("capabilities", () => {
url.hostname = `prefetch.${url.hostname}`;
return false; // let default processing continue with the modified hostname
} : null;
prefetchCSSResources(true, prefetchCallback);
prefetchCSSResources(only3rdParty, prefetchCallback);
}
if (!ns.canScript) {