Merge branch 'main' of github.com:hackademix/noscript into ctx
This commit is contained in:
commit
963f728658
|
@ -736,7 +736,7 @@
|
||||||
"description": ""
|
"description": ""
|
||||||
},
|
},
|
||||||
"cap_unchecked_css": {
|
"cap_unchecked_css": {
|
||||||
"message": "jedes CSS",
|
"message": "ungeprüfte CSS",
|
||||||
"description": ""
|
"description": ""
|
||||||
},
|
},
|
||||||
"cap_other": {
|
"cap_other": {
|
||||||
|
|
|
@ -661,7 +661,7 @@ var RequestGuard = (() => {
|
||||||
policy.navigationURL = url;
|
policy.navigationURL = url;
|
||||||
let debugStatement = ns.local.debug ? `
|
let debugStatement = ns.local.debug ? `
|
||||||
let mark = Date.now() + ":" + Math.random();
|
let mark = Date.now() + ":" + Math.random();
|
||||||
console.debug("domPolicy", domPolicy, document.readyState, mark);` : '';
|
console.debug("domPolicy", domPolicy, document.readyState, location.href, mark, window.ns);` : '';
|
||||||
return `
|
return `
|
||||||
let domPolicy = ${JSON.stringify(policy)};
|
let domPolicy = ${JSON.stringify(policy)};
|
||||||
let {ns} = window;
|
let {ns} = window;
|
||||||
|
@ -669,9 +669,7 @@ var RequestGuard = (() => {
|
||||||
ns.domPolicy = domPolicy;
|
ns.domPolicy = domPolicy;
|
||||||
if (ns.setup) {
|
if (ns.setup) {
|
||||||
if (ns.syncSetup) ns.syncSetup(domPolicy);
|
if (ns.syncSetup) ns.syncSetup(domPolicy);
|
||||||
else if (!ns.pendingSyncFetchPolicy) {
|
else ns.setup(domPolicy);
|
||||||
ns.setup(domPolicy);
|
|
||||||
}
|
|
||||||
} ;
|
} ;
|
||||||
} else {
|
} else {
|
||||||
window.ns = {domPolicy}
|
window.ns = {domPolicy}
|
||||||
|
|
|
@ -212,7 +212,7 @@
|
||||||
|
|
||||||
function onSyncMessage(msg, sender) {
|
function onSyncMessage(msg, sender) {
|
||||||
switch(msg.id) {
|
switch(msg.id) {
|
||||||
case "fetchPolicy":
|
case "fetchChildPolicy":
|
||||||
return messageHandler.fetchChildPolicy(msg, sender);
|
return messageHandler.fetchChildPolicy(msg, sender);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
let listenersMap = new Map();
|
let listenersMap = new Map();
|
||||||
let backlog = new Set();
|
let backlog = new Set();
|
||||||
|
|
||||||
var ns = {
|
let ns = {
|
||||||
debug: true, // DEV_ONLY
|
debug: true, // DEV_ONLY
|
||||||
get embeddingDocument() {
|
get embeddingDocument() {
|
||||||
delete this.embeddingDocument;
|
delete this.embeddingDocument;
|
||||||
|
@ -72,6 +72,14 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (this.syncFetchPolicy) {
|
||||||
|
// extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers
|
||||||
|
this.syncFetchPolicy();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
this.pendingSyncFetchPolicy = true;
|
||||||
|
|
||||||
if (!sync) {
|
if (!sync) {
|
||||||
queueMicrotask(() => this.fetchPolicy(true));
|
queueMicrotask(() => this.fetchPolicy(true));
|
||||||
return;
|
return;
|
||||||
|
@ -86,24 +94,46 @@
|
||||||
debug("Fetching policy for actual URL %s (was %s)", url, document.URL);
|
debug("Fetching policy for actual URL %s (was %s)", url, document.URL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (this.syncFetchPolicy) {
|
if (!this.syncFetchPolicy) {
|
||||||
// extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers
|
|
||||||
this.syncFetchPolicy();
|
let msg = {id: "fetchChildPolicy", url};
|
||||||
} else {
|
|
||||||
let msg = {id: "fetchPolicy", url};
|
let asyncFetch = (async () => {
|
||||||
if (document.readyState === "complete") {
|
let policy = null;
|
||||||
// no point fetching synchronously, since the document is already loaded (hot extension update?)
|
for (let attempts = 10; !(policy || this.policy) && attempts-- > 0;) {
|
||||||
(async () => this.setup(await browser.runtime.sendMessage(msg)))();
|
try {
|
||||||
} else {
|
debug(`Retrieving policy asynchronously (${attempts} attempts left).`);
|
||||||
debug(`Synchronously fetching policy for ${url}.`);
|
policy = await Messages.send(msg.id, msg) || this.domPolicy;
|
||||||
this.setup(browser.runtime.sendSyncMessage(msg));
|
debug("Asynchronous policy", policy);
|
||||||
}
|
} catch (e) {
|
||||||
|
error(e, "(Asynchronous policy fetch)");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
this.setup(policy);
|
||||||
|
});
|
||||||
|
debug(`Synchronously fetching policy for ${url}.`);
|
||||||
|
let policy = null;
|
||||||
|
let attempts = 100;
|
||||||
|
let refetch = () => {
|
||||||
|
policy = browser.runtime.sendSyncMessage(msg) || this.domPolicy;
|
||||||
|
if (policy) {
|
||||||
|
this.setup(policy);
|
||||||
|
} else if (attempts-- > 0) {
|
||||||
|
debug(`Couldn't retrieve policy synchronously (${attempts} attempts left).`);
|
||||||
|
if (asyncFetch) {
|
||||||
|
asyncFetch();
|
||||||
|
asyncFetch = null;
|
||||||
|
}
|
||||||
|
queueMicrotask(refetch);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
refetch();
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
setup(policy) {
|
setup(policy) {
|
||||||
if (this.policy) return false;
|
if (this.policy) return false;
|
||||||
debug("%s, %s, fetched %o", document.URL, document.readyState, policy);
|
debug("%s, %s, fetched %o", document.URL, document.readyState, policy, new Error().stack); // DEV_ONLY
|
||||||
if (!policy) {
|
if (!policy) {
|
||||||
policy = {permissions: {capabilities: []}, localFallback: true};
|
policy = {permissions: {capabilities: []}, localFallback: true};
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,6 +22,9 @@
|
||||||
|
|
||||||
(window.ns || (window.ns = {})).syncFetchPolicy = function() {
|
(window.ns || (window.ns = {})).syncFetchPolicy = function() {
|
||||||
|
|
||||||
|
ns.pendingSyncFetchPolicy = false;
|
||||||
|
ns.syncFetchPolicy = () => {};
|
||||||
|
|
||||||
let url = document.URL;
|
let url = document.URL;
|
||||||
|
|
||||||
// Here we've got no CSP header yet (file: or ftp: URL), we need one
|
// Here we've got no CSP header yet (file: or ftp: URL), we need one
|
||||||
|
@ -32,18 +35,17 @@
|
||||||
|
|
||||||
if (window.wrappedJSObject) {
|
if (window.wrappedJSObject) {
|
||||||
if (top === window) {
|
if (top === window) {
|
||||||
|
let persistentPolicy = null;
|
||||||
ns.syncSetup = policy => {
|
ns.syncSetup = policy => {
|
||||||
if (!ns.setup(policy)) return;
|
if (persistentPolicy) return;
|
||||||
if (top === window && window.wrappedJSObject) {
|
ns.setup(policy);
|
||||||
let persistentPolicy = JSON.stringify(policy);
|
persistentPolicy = JSON.stringify(policy);
|
||||||
Object.freeze(persistentPolicy);
|
Object.freeze(persistentPolicy);
|
||||||
try {
|
try {
|
||||||
Object.defineProperty(window.wrappedJSObject, "_noScriptPolicy", {value: cloneInto(persistentPolicy, window)});
|
Object.defineProperty(window.wrappedJSObject, "_noScriptPolicy", {value: cloneInto(persistentPolicy, window)});
|
||||||
} catch(e) {
|
} catch(e) {
|
||||||
error(e);
|
error(e);
|
||||||
}
|
|
||||||
}
|
}
|
||||||
ns.syncSetup = () => {};
|
|
||||||
};
|
};
|
||||||
} else try {
|
} else try {
|
||||||
if (top.wrappedJSObject._noScriptPolicy) {
|
if (top.wrappedJSObject._noScriptPolicy) {
|
||||||
|
@ -239,6 +241,5 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
if (ns.pendingSyncFetchPolicy) {
|
if (ns.pendingSyncFetchPolicy) {
|
||||||
ns.pendingSyncFetchPolicy = false;
|
|
||||||
ns.syncFetchPolicy();
|
ns.syncFetchPolicy();
|
||||||
}
|
}
|
|
@ -8,7 +8,7 @@
|
||||||
"strict_min_version": "59.0"
|
"strict_min_version": "59.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": "11.2.19",
|
"version": "11.2.25",
|
||||||
"description": "__MSG_Description__",
|
"description": "__MSG_Description__",
|
||||||
"incognito": "spanning",
|
"incognito": "spanning",
|
||||||
|
|
||||||
|
|
2
src/nscl
2
src/nscl
|
@ -1 +1 @@
|
||||||
Subproject commit fa49ecb52140aa80db30a7fa834f6358acc94a13
|
Subproject commit 7a302d1d181f7d9ef2bbee716c6c850df8cefdad
|
|
@ -20,10 +20,10 @@
|
||||||
|
|
||||||
ns.on("capabilities", event => {
|
ns.on("capabilities", event => {
|
||||||
if (ns.allows("script")) {
|
if (ns.allows("script")) {
|
||||||
let name = ns.getWindowName();
|
let dangerousRx = /[<"'\`(=:]/g;
|
||||||
if (/[<"'\`(=:]/.test(name)) {
|
if (/[<"'\`(=:]/.test(window.name)) {
|
||||||
console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, name, document.URL);
|
console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, window.name, document.URL);
|
||||||
window.name = window.name.substring(0, window.name.length - name.length);
|
window.name = window.name.replace(dangerousRx, '');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue