Fixed "Cascade top document restrictions" option not always applied to embedded elements.
This commit is contained in:
parent
deb108761d
commit
db4a5cb502
|
@ -261,6 +261,19 @@ var RequestGuard = (() => {
|
||||||
return redirected;
|
return redirected;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function intersectCapabilities(perms, frameAncestors) {
|
||||||
|
if (frameAncestors && frameAncestors.length > 0 && ns.sync.cascadeRestrictions) {
|
||||||
|
// cascade top document's restrictions to subframes
|
||||||
|
let topUrl = frameAncestors[frameAncestors.length - 1].url;
|
||||||
|
let topPerms = ns.policy.get(topUrl, topUrl).perms;
|
||||||
|
if (topPerms !== perms) {
|
||||||
|
let topCaps = topPerms.capabilities;
|
||||||
|
return new Set([...perms.capabilities].filter(c => topCaps.has(c)));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return perms.capabilities;
|
||||||
|
}
|
||||||
|
|
||||||
const ABORT = {cancel: true}, ALLOW = {};
|
const ABORT = {cancel: true}, ALLOW = {};
|
||||||
const listeners = {
|
const listeners = {
|
||||||
onBeforeRequest(request) {
|
onBeforeRequest(request) {
|
||||||
|
@ -281,13 +294,18 @@ var RequestGuard = (() => {
|
||||||
// livemark request or similar browser-internal, always allow;
|
// livemark request or similar browser-internal, always allow;
|
||||||
return ALLOW;
|
return ALLOW;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (/^(?:data|blob):/.test(url)) {
|
if (/^(?:data|blob):/.test(url)) {
|
||||||
request._dataUrl = url;
|
request._dataUrl = url;
|
||||||
request.url = url = documentUrl;
|
request.url = url = documentUrl;
|
||||||
}
|
}
|
||||||
let allowed = Sites.isInternal(url) ||
|
let allowed = Sites.isInternal(url) ||
|
||||||
!ns.isEnforced(request.tabId) ||
|
!ns.isEnforced(request.tabId) ||
|
||||||
policy.can(url, policyType, originUrl);
|
intersectCapabilities(
|
||||||
|
policy.get(url, documentUrl).perms,
|
||||||
|
request.frameAncestors
|
||||||
|
).has(policyType);
|
||||||
|
|
||||||
Content.reportTo(request, allowed, policyType);
|
Content.reportTo(request, allowed, policyType);
|
||||||
if (!allowed) {
|
if (!allowed) {
|
||||||
debug(`Blocking ${policyType}`, request);
|
debug(`Blocking ${policyType}`, request);
|
||||||
|
@ -319,8 +337,7 @@ var RequestGuard = (() => {
|
||||||
pending = pendingRequests.get(request.requestId);
|
pending = pendingRequests.get(request.requestId);
|
||||||
}
|
}
|
||||||
pending.headersProcessed = true;
|
pending.headersProcessed = true;
|
||||||
let {url, documentUrl, frameAncestors, statusCode, tabId,
|
let {url, documentUrl, tabId, responseHeaders, type} = request;
|
||||||
responseHeaders, type} = request;
|
|
||||||
let isMainFrame = type === "main_frame";
|
let isMainFrame = type === "main_frame";
|
||||||
try {
|
try {
|
||||||
let capabilities;
|
let capabilities;
|
||||||
|
@ -334,17 +351,7 @@ var RequestGuard = (() => {
|
||||||
}
|
}
|
||||||
capabilities = perms.capabilities;
|
capabilities = perms.capabilities;
|
||||||
} else {
|
} else {
|
||||||
capabilities = perms.capabilities;
|
capabilities = intersectCapabilities(perms, request.frameAncestors);
|
||||||
if (frameAncestors && frameAncestors.length > 0 && ns.sync.cascadeRestrictions) {
|
|
||||||
// cascade top document's restrictions to subframes
|
|
||||||
let topUrl = frameAncestors.pop().url;
|
|
||||||
let topPerms = policy.get(topUrl, topUrl).perms;
|
|
||||||
if (topPerms !== perms) {
|
|
||||||
let topCaps = topPerms.capabilities;
|
|
||||||
// intersect capabilities
|
|
||||||
capabilities = new Set([...capabilities].filter(c => topCaps.has(c)));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (isMainFrame || type === "sub_frame") {
|
if (isMainFrame || type === "sub_frame") {
|
||||||
|
|
Loading…
Reference in New Issue