Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[xss] Removed legacy/obsolete exceptions.

This commit is contained in:
hackademix 2024-10-20 19:24:27 +02:00
parent 019cf8b432
commit ec04a2e0d5
No known key found for this signature in database
GPG Key ID: 231A83AFDA9C2434
1 changed files with 12 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
src/xss/Exceptions.js
View File

@ -23,13 +23,6 @@
XSS.Exceptions = (() => { XSS.Exceptions = (() => {
var Exceptions = { var Exceptions = {
get legacyExceptions() {
delete this.legacyExceptions;
this.legacyExceptions =
Legacy.getRxPref("filterXExceptions",
Legacy.RX.multi, "g", /^https?:[a-z:/@.?-]*$/i);
return this.legacyExceptions;
},
async getWhitelist() { async getWhitelist() {
return (await Storage.get("sync", "xssWhitelist")).xssWhitelist; return (await Storage.get("sync", "xssWhitelist")).xssWhitelist;
@ -71,16 +64,6 @@ XSS.Exceptions = (() => {
debug("Privileged origin", srcOrigin); // DEV_ONLY debug("Privileged origin", srcOrigin); // DEV_ONLY
} }
// destination or @source matching legacy regexp
if (this.legacyExceptions &&
(this.legacyExceptions.test(unescapedDest) &&
!this.isBadException(xssReq.destDomain) ||
this.legacyExceptions.test("@" + unescape(srcUrl))
)) {
logEx("Legacy exception", this.legacyExceptions);
return true;
}
if (!srcOrigin && isGet) { if (!srcOrigin && isGet) {
if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) { if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) {
return true; // MSDN from Microsoft VS return true; // MSDN from Microsoft VS
@ -93,20 +76,15 @@ XSS.Exceptions = (() => {
return true; // any about: URL except about:blank return true; // any about: URL except about:blank
if (srcOrigin === "https://www.youtube.com" && if (srcOrigin === "https://www.youtube.com" &&
/^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl) && /^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl)) {
Legacy.getPref("filterXExceptions.yt_comments")
) {
logEx("YouTube comments exception"); logEx("YouTube comments exception");
return true; return true;
} }
if (isPost) { if (isPost) {
if (srcOrigin === "https://sso.post.ch" && destOrigin === "https://app.swisspost.ch") { if (/^https:\/\/(?:twitter|x).com$/.test(srcOrigin) &&
return true; /^https:\/\/.*\.(?:twitter|x)\.com$/.test(destOrigin)) {
}
if (srcOrigin === "https://twitter.com" && /^https:\/\/.*\.twitter\.com$/.test(destOrigin)) {
return true; return true;
} }
@ -119,88 +97,34 @@ XSS.Exceptions = (() => {
if (/^https?:\/\/csr\.ebay\.(?:\w{2,3}|co\.uk)\/cse\/start\.jsf$/.test(srcUrl) && if (/^https?:\/\/csr\.ebay\.(?:\w{2,3}|co\.uk)\/cse\/start\.jsf$/.test(srcUrl) &&
/^https?:\/\/msa-lfn\.ebay\.(?:\w{2,3}|co\.uk)\/ws\/eBayISAPI\.dll\?[^<'"%]*$/.test(unescapedDest) && /^https?:\/\/msa-lfn\.ebay\.(?:\w{2,3}|co\.uk)\/ws\/eBayISAPI\.dll\?[^<'"%]*$/.test(unescapedDest) &&
destObj.protocol === srcObj.protocol && destObj.protocol === srcObj.protocol) {
Legacy.getPref("filterXException.ebay")) {
logEx("Ebay exception"); logEx("Ebay exception");
return true; return true;
} }
if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.(?:l[tv]|com))$/.test(srcUrl) && if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.com)$/.test(srcUrl)) {
Legacy.getPref("filterXException.visa")) {
logEx("Verified by Visa exception"); logEx("Verified by Visa exception");
return true; return true;
} }
if (/\.verizon\.com$/.test(srcOrigin) &&
/^https:\/\/signin\.verizon\.com\/sso\/authsso\/forumLogin\.jsp$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.verizon")) {
logEx("Verizon login exception");
return true;
}
if (/^https?:\/\/mail\.lycos\.com\/lycos\/mail\/MailCompose\.lycos$/.test(srcUrl) && if (/^https?:\/\/mail\.lycos\.com\/lycos\/mail\/MailCompose\.lycos$/.test(srcUrl) &&
/\.lycosmail\.lycos\.com$/.test(destOrigin) && /\.lycosmail\.lycos\.com$/.test(destOrigin)) {
Legacy.getPref("filterXExceptions.lycosmail")) {
logEx("Lycos Mail exception"); logEx("Lycos Mail exception");
return true; return true;
} }
if (/\.livejournal\.com$/.test(srcOrigin) && if (/^https:.*\.livejournal\.com$/.test(srcOrigin) &&
/^https?:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl) && /^https:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl)) {
Legacy.getPref("filterXExceptions.livejournal")) {
logEx("Livejournal comments exception"); logEx("Livejournal comments exception");
return true; return true;
} }
if (srcOrigin == "https://ssl.rapidshare.com" && if (/^https:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
xssReq.srcDomain == "rapidshare.com") { /^https:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl)
logEx("Rapidshare upload exception");
return true;
}
if (srcOrigin == "http://wm.letitbit.net" &&
/^http:\/\/http\.letitbit\.net:81\/cgi-bin\/multi\/upload\.cgi\?/.test(destUrl) &&
Legacy.getPref("filterXExceptions.letitibit")
) {
logEx("letitbit.net upload exception");
return true;
}
if (/\.deviantart\.com$/.test(srcOrigin) &&
/^http:\/\/my\.deviantart\.com\/journal\/update\b/.test(destUrl) &&
Legacy.getPref("filterXExceptions.deviantart")
) {
logEx("deviantart.com journal post exception");
return true;
}
if (srcOrigin == "https://www.mymedicare.gov" &&
destOrigin == "https://myporal.medicare.gov" &&
Legacy.getPref("filterXExceptions.medicare")
) {
logEx("mymedicare.gov exception");
return true;
}
if (/^https?:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
/^https?:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl) &&
Legacy.getPref("filterXExceptions.blogspot")
) { ) {
logEx("blogspot.com template preview exception"); logEx("blogspot.com template preview exception");
return true; return true;
} }
if (/^https?:\/\/www\.readability\.com\/articles\/queue$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.readability")) {
logEx("Readability exception");
return true;
}
if (/^https?:\/\/pdf\.printfriendly\.com\/pdfs\/make$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.printfriendly")) {
logEx("Printfriendly exception");
return true;
}
} }
} }
}, },
@ -235,11 +159,10 @@ XSS.Exceptions = (() => {
/^https:\/\/[^\/]+\.googleusercontent\.com\/gadgets\/ifr\?/.test(destUrl) // Google gadgets /^https:\/\/[^\/]+\.googleusercontent\.com\/gadgets\/ifr\?/.test(destUrl) // Google gadgets
)) { )) {
skipRx = /#[^#]+$/; // remove receiver's hash skipRx = /#[^#]+$/; // remove receiver's hash
} else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl) && Legacy.getPref("filterXExceptions.fbconnect")) { } else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl)) {
skipRx = /&invite_url=javascript[^&]+/; // Zynga stuff skipRx = /&invite_url=javascript[^&]+/; // Zynga stuff
} else if (/^https?:\/\/l\.yimg\.com\/j\/static\/frame\?e=/.test(destUrl) && } else if (/^https?:\/\/l\.yimg\.com\/j\/static\/frame\?e=/.test(destUrl) &&
/\.yahoo\.com$/.test(srcOrigin) && /\.yahoo\.com$/.test(srcOrigin)) {
Legacy.getPref("filterXExceptions.yahoo")) {
skipParams = ['e']; skipParams = ['e'];
} else if (/^https?:\/\/wpcomwidgets\.com\/\?/.test(destUrl)) { } else if (/^https?:\/\/wpcomwidgets\.com\/\?/.test(destUrl)) {
skipParams = ["_data"]; skipParams = ["_data"];