From 631cf50e8c7daae7ce6468fc810c68b43dfeada1 Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 4 Feb 2022 23:35:57 +0100 Subject: [PATCH 01/22] Version bump: 11.2.20rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index d435141..8f854c4 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.19", + "version": "11.2.20rc1", "description": "__MSG_Description__", "incognito": "spanning", From e0851b526b57820efd81d049aa5a7842ebc77463 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 7 Feb 2022 21:03:24 +0100 Subject: [PATCH 02/22] [XSS] Fix false positive warning when "name" is in the query string (thanks John Shield / DuckDuckGo for reporting). --- src/nscl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nscl b/src/nscl index fa49ecb..124fc30 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit fa49ecb52140aa80db30a7fa834f6358acc94a13 +Subproject commit 124fc30ae71873a87a904c533dd6933eea634186 From 660d6148fd69a20592b30d61d4effa12ca7c11df Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 7 Feb 2022 21:09:22 +0100 Subject: [PATCH 03/22] [L10n] Updated de. --- src/_locales/de/messages.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_locales/de/messages.json b/src/_locales/de/messages.json index 10a2505..642d6f4 100644 --- a/src/_locales/de/messages.json +++ b/src/_locales/de/messages.json @@ -736,7 +736,7 @@ "description": "" }, "cap_unchecked_css": { - "message": "jedes CSS", + "message": "ungeprüfte CSS", "description": "" }, "cap_other": { From ae3b15f259c756a61a183b08c3380407edccc833 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 7 Feb 2022 21:20:49 +0100 Subject: [PATCH 04/22] Version bump: 11.2.20. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 8f854c4..7353d6f 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.20rc1", + "version": "11.2.20", "description": "__MSG_Description__", "incognito": "spanning", From ab1a5d49422af562e4763fa104a3831411ef9b8f Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 8 Feb 2022 09:47:05 +0100 Subject: [PATCH 05/22] Version bump: 11.2.21rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 7353d6f..a43083a 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.20", + "version": "11.2.21rc1", "description": "__MSG_Description__", "incognito": "spanning", From 7aeac83eeb2ad7e5e499eacf0358f23a65373918 Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 8 Feb 2022 11:01:03 +0100 Subject: [PATCH 06/22] [XSS] Simplified preemptive name sanitization. --- src/xss/sanitizeName.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/xss/sanitizeName.js b/src/xss/sanitizeName.js index 7eba9c4..457c6cd 100644 --- a/src/xss/sanitizeName.js +++ b/src/xss/sanitizeName.js @@ -20,10 +20,10 @@ ns.on("capabilities", event => { if (ns.allows("script")) { - let name = ns.getWindowName(); - if (/[<"'\`(=:]/.test(name)) { - console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, name, document.URL); - window.name = window.name.substring(0, window.name.length - name.length); + let dangerousRx = /[<"'\`(=:]/g; + if (/[<"'\`(=:]/.test(window.name)) { + console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, window.name, document.URL); + window.name = window.name.replace(dangerousRx, ''); } } }); From e65d3bd35f82779e15e28bd50ba13c4b4ce87faf Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 8 Feb 2022 11:01:26 +0100 Subject: [PATCH 07/22] Better fallback for failing syncMessage. --- src/bg/RequestGuard.js | 2 +- src/content/staticNS.js | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index 03ce484..4446920 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -660,7 +660,7 @@ var RequestGuard = (() => { policy.navigationURL = url; let debugStatement = ns.local.debug ? ` let mark = Date.now() + ":" + Math.random(); - console.debug("domPolicy", domPolicy, document.readyState, mark);` : ''; + console.debug("domPolicy", domPolicy, document.readyState, location.href, mark, window.ns);` : ''; return ` let domPolicy = ${JSON.stringify(policy)}; let {ns} = window; diff --git a/src/content/staticNS.js b/src/content/staticNS.js index 01b9870..1d0c6ec 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -23,7 +23,7 @@ let listenersMap = new Map(); let backlog = new Set(); - var ns = { + let ns = { debug: true, // DEV_ONLY get embeddingDocument() { delete this.embeddingDocument; @@ -91,12 +91,13 @@ this.syncFetchPolicy(); } else { let msg = {id: "fetchPolicy", url, contextUrl: url}; - if (document.readyState === "complete") { - // no point fetching synchronously, since the document is already loaded (hot extension update?) + debug(`Synchronously fetching policy for ${url}.`); + let policy = browser.runtime.sendSyncMessage(msg); + if (!policy) { + debug(`Couldn't retrieve policy synchronously, trying async.`); (async () => this.setup(await browser.runtime.sendMessage(msg)))(); } else { - debug(`Synchronously fetching policy for ${url}.`); - this.setup(browser.runtime.sendSyncMessage(msg)); + this.setup(policy); } } }, From 3f60112b60eb3663d7366d7ba8c04261615638c8 Mon Sep 17 00:00:00 2001 From: hackademix Date: Tue, 8 Feb 2022 11:07:50 +0100 Subject: [PATCH 08/22] Version bump: 11.2.21. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index a43083a..f1ccd2c 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.21rc1", + "version": "11.2.21", "description": "__MSG_Description__", "incognito": "spanning", From b0a870ce4baf263505d9f5a504bb304e633aff21 Mon Sep 17 00:00:00 2001 From: hackademix Date: Wed, 9 Feb 2022 19:29:27 +0100 Subject: [PATCH 09/22] Version bump: 11.2.22rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index f1ccd2c..3ffc194 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.21", + "version": "11.2.22rc1", "description": "__MSG_Description__", "incognito": "spanning", From 0942a8a261da3ead137389c84f7e098d159feb2f Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 10 Feb 2022 08:38:41 +0100 Subject: [PATCH 10/22] Parallel sync/async for best effort policy fetching under any circumstance. --- src/bg/main.js | 2 +- src/content/staticNS.js | 41 ++++++++++++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/src/bg/main.js b/src/bg/main.js index 7dca693..83be431 100644 --- a/src/bg/main.js +++ b/src/bg/main.js @@ -212,7 +212,7 @@ function onSyncMessage(msg, sender) { switch(msg.id) { - case "fetchPolicy": + case "fetchChildPolicy": return messageHandler.fetchChildPolicy(msg, sender); break; } diff --git a/src/content/staticNS.js b/src/content/staticNS.js index 1d0c6ec..4a79420 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -90,21 +90,44 @@ // extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers this.syncFetchPolicy(); } else { - let msg = {id: "fetchPolicy", url, contextUrl: url}; - debug(`Synchronously fetching policy for ${url}.`); - let policy = browser.runtime.sendSyncMessage(msg); - if (!policy) { - debug(`Couldn't retrieve policy synchronously, trying async.`); - (async () => this.setup(await browser.runtime.sendMessage(msg)))(); - } else { + let msg = {id: "fetchChildPolicy", url, contextUrl: url}; + + let asyncFetch = (async () => { + let policy = null; + for (let attempts = 10; !(policy || this.policy) && attempts-- > 0;) { + try { + debug(`Retrieving policy asynchronously (${attempts} attempts left).`); + policy = await Messages.send(msg.id, msg) || this.domPolicy; + debug("Asynchronous policy", policy); + } catch (e) { + error(e, "(Asynchronous policy fetch)"); + } + } this.setup(policy); - } + }); + debug(`Synchronously fetching policy for ${url}.`); + let policy = null; + let attempts = 100; + let refetch = () => { + policy = browser.runtime.sendSyncMessage(msg) || this.domPolicy; + if (policy) { + this.setup(policy); + } else if (attempts-- > 0) { + debug(`Couldn't retrieve policy synchronously (${attempts} attempts left).`); + if (asyncFetch) { + asyncFetch(); + asyncFetch = null; + } + queueMicrotask(refetch); + } + }; + refetch(); } }, setup(policy) { if (this.policy) return false; - debug("%s, %s, fetched %o", document.URL, document.readyState, policy); + debug("%s, %s, fetched %o", document.URL, document.readyState, policy, new Error().stack); // DEV_ONLY if (!policy) { policy = {permissions: {capabilities: []}, localFallback: true}; } From 6d8abed1bdcc0da38fbeb8a51e6e93787bebd1ff Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 10 Feb 2022 08:48:27 +0100 Subject: [PATCH 11/22] Version bump: 11.2.22. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 3ffc194..43e5c6a 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.22rc1", + "version": "11.2.22", "description": "__MSG_Description__", "incognito": "spanning", From 8e4804d45f51bb7eb4128a4dbf37158ae2a797cb Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 10 Feb 2022 09:44:43 +0100 Subject: [PATCH 12/22] Version bump: 11.2.23rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 43e5c6a..11bb9e5 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.22", + "version": "11.2.23rc1", "description": "__MSG_Description__", "incognito": "spanning", From 3735929b7fe6392791a9a4677a2f03fae7fc0ddd Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 10 Feb 2022 09:44:25 +0100 Subject: [PATCH 13/22] [nscl] Fix rare breakages due to xray cloning. --- src/nscl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nscl b/src/nscl index 124fc30..f225ad2 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit 124fc30ae71873a87a904c533dd6933eea634186 +Subproject commit f225ad2bee52c08baf36f626e86bd408aff9aa0d From df2fdfd87a66a152060d5c50cb6ffff4947ee6f3 Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 10 Feb 2022 17:20:09 +0100 Subject: [PATCH 14/22] Version bump: 11.2.23. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 11bb9e5..f626f4e 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.23rc1", + "version": "11.2.23", "description": "__MSG_Description__", "incognito": "spanning", From dc7e350fe40e70435c48cace69987ef2d8edc88c Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 11 Feb 2022 00:05:34 +0100 Subject: [PATCH 15/22] Version bump: 11.2.24rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index f626f4e..9c1f22f 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.23", + "version": "11.2.24rc1", "description": "__MSG_Description__", "incognito": "spanning", From 25b11ec908d4b4cae7101b6020a2e54fc24edd6d Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 11 Feb 2022 00:05:54 +0100 Subject: [PATCH 16/22] [nscl] Avoid unnecessary window patching. --- src/nscl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nscl b/src/nscl index f225ad2..7a302d1 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit f225ad2bee52c08baf36f626e86bd408aff9aa0d +Subproject commit 7a302d1d181f7d9ef2bbee716c6c850df8cefdad From c96437f2ab101a57477d8e13d12ffb232a347193 Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 11 Feb 2022 00:12:51 +0100 Subject: [PATCH 17/22] Version bump: 11.2.24. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 9c1f22f..6c7e48e 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.24rc1", + "version": "11.2.24", "description": "__MSG_Description__", "incognito": "spanning", From 11d7cfc4c86ba1bd3a46a1a50a8b4cb34f4f09f5 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sat, 12 Feb 2022 21:52:57 +0100 Subject: [PATCH 18/22] Version bump: 11.2.25rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 6c7e48e..50bb36a 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.24", + "version": "11.2.25rc1", "description": "__MSG_Description__", "incognito": "spanning", From 9b0553f7606d6bf8ed086fb2adb05e6598f03adc Mon Sep 17 00:00:00 2001 From: hackademix Date: Sat, 12 Feb 2022 22:19:45 +0100 Subject: [PATCH 19/22] [Firefox] Fix regression causing file:// policy not to be correctly enforced sometimes. --- src/bg/RequestGuard.js | 3 --- src/content/staticNS.js | 13 +++++++++---- src/content/syncFetchPolicy.js | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index 4446920..7aec1e7 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -668,9 +668,6 @@ var RequestGuard = (() => { ns.domPolicy = domPolicy; if (ns.setup) { if (ns.syncSetup) ns.syncSetup(domPolicy); - else if (!ns.pendingSyncFetchPolicy) { - ns.setup(domPolicy); - } } ; } else { window.ns = {domPolicy} diff --git a/src/content/staticNS.js b/src/content/staticNS.js index 4a79420..759c403 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -72,6 +72,13 @@ } } + if (this.syncFetchPolicy) { + // extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers + this.syncFetchPolicy(); + } else { + this.pendingSyncFetchPolicy = true; + } + if (!sync) { queueMicrotask(() => this.fetchPolicy(true)); return; @@ -86,10 +93,8 @@ debug("Fetching policy for actual URL %s (was %s)", url, document.URL); } - if (this.syncFetchPolicy) { - // extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers - this.syncFetchPolicy(); - } else { + if (!this.syncFetchPolicy) { + let msg = {id: "fetchChildPolicy", url, contextUrl: url}; let asyncFetch = (async () => { diff --git a/src/content/syncFetchPolicy.js b/src/content/syncFetchPolicy.js index d9c3518..ade6f40 100644 --- a/src/content/syncFetchPolicy.js +++ b/src/content/syncFetchPolicy.js @@ -65,7 +65,7 @@ } let syncFetch = callback => { browser.runtime.sendSyncMessage( - {id: "fetchPolicy", url, contextUrl: url}, + {id: "fetchChildPolicy", url, contextUrl: url}, callback); }; debug("Initial readyState and body", document.readyState, document.body); From b6383d248d0711c09baea87f9370bfbc364a4893 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sat, 12 Feb 2022 23:41:34 +0100 Subject: [PATCH 20/22] Version bump: 11.2.25rc2. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 50bb36a..d6b8180 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.25rc1", + "version": "11.2.25rc2", "description": "__MSG_Description__", "incognito": "spanning", From b27771aef037bea51ae3ad43d13051304f927b89 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 13 Feb 2022 00:16:24 +0100 Subject: [PATCH 21/22] More robust policy fetching. --- src/bg/RequestGuard.js | 1 + src/content/staticNS.js | 5 +++-- src/content/syncFetchPolicy.js | 23 ++++++++++++----------- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index 7aec1e7..9d64cf1 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -668,6 +668,7 @@ var RequestGuard = (() => { ns.domPolicy = domPolicy; if (ns.setup) { if (ns.syncSetup) ns.syncSetup(domPolicy); + else ns.setup(domPolicy); } ; } else { window.ns = {domPolicy} diff --git a/src/content/staticNS.js b/src/content/staticNS.js index 759c403..7974477 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -75,10 +75,11 @@ if (this.syncFetchPolicy) { // extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers this.syncFetchPolicy(); - } else { - this.pendingSyncFetchPolicy = true; + return; } + this.pendingSyncFetchPolicy = true; + if (!sync) { queueMicrotask(() => this.fetchPolicy(true)); return; diff --git a/src/content/syncFetchPolicy.js b/src/content/syncFetchPolicy.js index ade6f40..2830c01 100644 --- a/src/content/syncFetchPolicy.js +++ b/src/content/syncFetchPolicy.js @@ -22,6 +22,9 @@ (window.ns || (window.ns = {})).syncFetchPolicy = function() { + ns.pendingSyncFetchPolicy = false; + ns.syncFetchPolicy = () => {}; + let url = document.URL; // Here we've got no CSP header yet (file: or ftp: URL), we need one @@ -32,18 +35,17 @@ if (window.wrappedJSObject) { if (top === window) { + let persistentPolicy = null; ns.syncSetup = policy => { - if (!ns.setup(policy)) return; - if (top === window && window.wrappedJSObject) { - let persistentPolicy = JSON.stringify(policy); - Object.freeze(persistentPolicy); - try { - Object.defineProperty(window.wrappedJSObject, "_noScriptPolicy", {value: cloneInto(persistentPolicy, window)}); - } catch(e) { - error(e); - } + if (persistentPolicy) return; + ns.setup(policy); + persistentPolicy = JSON.stringify(policy); + Object.freeze(persistentPolicy); + try { + Object.defineProperty(window.wrappedJSObject, "_noScriptPolicy", {value: cloneInto(persistentPolicy, window)}); + } catch(e) { + error(e); } - ns.syncSetup = () => {}; }; } else try { if (top.wrappedJSObject._noScriptPolicy) { @@ -239,6 +241,5 @@ }; if (ns.pendingSyncFetchPolicy) { - ns.pendingSyncFetchPolicy = false; ns.syncFetchPolicy(); } \ No newline at end of file From 62ad22f17cacdedfcb004c77f813c84b538fa2d3 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 13 Feb 2022 08:32:29 +0100 Subject: [PATCH 22/22] Version bump: 11.2.25. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index d6b8180..dbe0c44 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.25rc2", + "version": "11.2.25", "description": "__MSG_Description__", "incognito": "spanning",