Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[TabGuard] Decouple tab ties cutting from one-shot authorized loads cases for same-site navigation.

This commit is contained in:
hackademix 2023-06-15 23:19:11 +02:00
parent 417d592363
commit df3c164304
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/bg/TabGuard.js
View File

@ -89,33 +89,40 @@ var TabGuard = (() => {
anonymizedTabs.delete(tabId);
let headers = flattenHeaders(requestHeaders);
let shouldCut = false;
let safeAuth = false;
if (headers["sec-fetch-user"] === "?1") {
// user-activated navigation
switch(headers["sec-fetch-site"]) {
case "same-site":
case "same-origin":
// cut only if same site & same tab
// Same site manual navigation:
// cut only if same tab (prevents automatic redirections to victim sites in new tabs)
shouldCut = tab && originUrl === tab.url && ![...TabTies.get(tabId)]
.filter(tid => tid !== tabId).map(TabCache.get)
.some(t => t && t.url === originUrl);
// either way we can send authorization data
safeAuth = true;
break;
case "none":
// nav bar or bookmark
shouldCut = true;
safeAuth = shouldCut = true;
break;
default:
// manual reload?
shouldCut = tab && tab.url === request.url && tab.active;
// cut only on manual reloads
safeAuth = shouldCut = tab && tab.url === request.url && tab.active;
}
}
if (shouldCut) {
debug("[TabGuard] User-typed, bookmark or user-activated same-site-same-tab navigation: scheduling tab ties cut.", tabId, request);
debug("[TabGuard] User-typed, bookmark or user-activated same-site-same-tab navigation: scheduling tab ties cut and loading with auth.", tabId, request);
scheduledCuts.add(request.requestId);
return;
} else {
debug("[TabGuard] Automatic or cross-site navigation, keeping tab ties.", tabId, request);
scheduledCuts.delete(request.requestId);
}
if (safeAuth) {
debug("[TabGuard] User-activated same-site navigation, loading with auth.", tabId, request);
return;
}
}
let targetDomain = getDomain(url);