Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial commit starting at version 10.1.8.3rc4.

This commit is contained in:
hackademix 2018-07-01 01:01:23 +02:00
commit eceae7187a
100 changed files with 23739 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
GPL.txt Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

16
LICENSE.txt Normal file
View File

@ -0,0 +1,16 @@
NoScript - a Firefox extension for whitelist driven safe JavaScript execution
Copyright (C) 2004-2007 Giorgio Maone - g.maone@informaction.com
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

24
ReadMe.md Normal file
View File

@ -0,0 +1,24 @@
#NoScript Security Suite
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks, "Spectre", "Meltdown" and other JavaScript exploits.
Fx52? <a href="https://noscript.net/getit">https://noscript.net/getit</a>
<b>IMPORTANT</b>
<a href="https://forums.informaction.com/viewtopic.php?f=7&amp;t=23974&amp;p=94778">A Basic <b>NoScript 10 Guide</b></a>
Still confused by NoScript 10's new UI?
Check this <a href="https://blog.jeaye.com/2017/11/30/noscript/">user-contributed NoScript 10 primer</a>.
and this <a href="https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/">NoScript 10 "Quantum" vs NoScript 5 "Classic" (or "Legacy") comparison</a>.
Winner of the "PC World World Class Award" and bundled with the Tor Browser, NoScript gives you with the best available protection on the web.
It allows JavaScript, Flash, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking site, mitigating remotely exploitable vulnerabilities including Spectre and Meltdown.
It protects your "trust boundaries" against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts, thanks to its unique ClearClick technology.
Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality where you need it.
Experts do agree: Firefox is really safer with NoScript ;-)
FAQ: <a href="https://noscript.net/faq">https://noscript.net/faq</a>
Forum: <a href="https://noscript.net/forum">https://noscript.net/forum</a>

52
TLD/generate.pl Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/perl -w
# use strict;
use open ':utf8';
use Regexp::Assemble;
$dat="public_suffix_list.dat";
die(".dat file $dat not found!") unless -f "$dat";
sub generate {
my $src = "./tld_template.js";
my $dst = "./tld.js";
my (@rx, @ex, $rx, $ex);
open(DAT, $dat) || die("Cannot open $dat");
while(<DAT>) {
s/\./\\\./g;
s/\s+utf.*//;
s/\n//;
if(/^!/) {
s/^!//;
push(@ex, lc($_));
} elsif (!/^(\/\/|[ \n\r]|$)/) {
s/\*\\\./[^\\.]+\\./;
push(@rx, lc($_));
}
}
close(DAT);
#$o = Regexp::Optimizer->new;
#$o = Regexp::List->new;
$o = Regexp::Assemble->new;
$_ = $o->add(@rx)->as_string();
s/\(\?-xism:(.*)\)/$1/;
$rx = $_;
@rx = NULL;
$o = Regexp::Assemble->new;
$_ = $o->add(@ex)->as_string();
s/\(\?-xism:(.*)\)/$1/;
$ex = $_;
@ex = NULL;
open(SRC, $src) || die("Cannot open $src");
open(DST, ">$dst") || die("Cannot open $dst");
while(<SRC>) {
s/%tld_rx%/$rx/g;
s/%tld_ex%/$ex/g;
print DST;
print;
}
close(SRC);
close(DST);
}
generate();

18
TLD/generate.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
BASE=$(dirname "$0")
pushd "$BASE"
fname=public_suffix_list.dat
nflag=""
if [ -f $fname ]; then
nflag="-z $fname"
fi
URL=https://publicsuffix.org/list/$fname
curl -O $nflag "$URL"
if ! grep 'com' $fname >/dev/null; then
echo >&2 "$fname empty or corrupt!"
exit 1
fi
./generate.pl
popd

12661
TLD/public_suffix_list.dat Normal file
View File

File diff suppressed because it is too large Load Diff

46
TLD/tld.js Normal file
View File

File diff suppressed because one or more lines are too long

1
TLD/tld_ex.txt Normal file
View File

@ -0,0 +1 @@
congresodelalengua3\.ar|educ\.ar|gobiernoelectronico\.ar|mecon\.ar|nacion\.ar|nic\.ar|promocion\.ar|retina\.ar|uba\.ar|metro\.tokyo\.jp|pref\.aichi\.jp|pref\.akita\.jp|pref\.aomori\.jp|pref\.chiba\.jp|pref\.ehime\.jp|pref\.fukui\.jp|pref\.fukuoka\.jp|pref\.fukushima\.jp|pref\.gifu\.jp|pref\.gunma\.jp|pref\.hiroshima\.jp|pref\.hokkaido\.jp|pref\.hyogo\.jp|pref\.ibaraki\.jp|pref\.ishikawa\.jp|pref\.iwate\.jp|pref\.kagawa\.jp|pref\.kagoshima\.jp|pref\.kanagawa\.jp|pref\.kochi\.jp|pref\.kumamoto\.jp|pref\.kyoto\.jp|pref\.mie\.jp|pref\.miyagi\.jp|pref\.miyazaki\.jp|pref\.nagano\.jp|pref\.nagasaki\.jp|pref\.nara\.jp|pref\.niigata\.jp|pref\.oita\.jp|pref\.okayama\.jp|pref\.okinawa\.jp|pref\.osaka\.jp|pref\.saga\.jp|pref\.saitama\.jp|pref\.shiga\.jp|pref\.shimane\.jp|pref\.shizuoka\.jp|pref\.tochigi\.jp|pref\.tokushima\.jp|pref\.tottori\.jp|pref\.toyama\.jp|pref\.wakayama\.jp|pref\.yamagata\.jp|pref\.yamaguchi\.jp|pref\.yamanashi\.jp|city\.chiba\.jp|city\.fukuoka\.jp|city\.hiroshima\.jp|city\.kawasaki\.jp|city\.kitakyushu\.jp|city\.kobe\.jp|city\.kyoto\.jp|city\.nagoya\.jp|city\.osaka\.jp|city\.saitama\.jp|city\.sapporo\.jp|city\.sendai\.jp|city\.shizuoka\.jp|city\.yokohama\.jp|bl\.uk|british-library\.uk|icnet\.uk|jet\.uk|nel\.uk|nls\.uk|national-library-scotland\.uk|parliament\.uk|

1
TLD/tld_rx.txt Normal file
View File

File diff suppressed because one or more lines are too long

46
TLD/tld_template.js Normal file
View File

@ -0,0 +1,46 @@
var tld = {
normalize(d) { return d; },
isIp(d) { return this._ipRx.test(d); },
getDomain(domain) {
if (domain === "localhost" || this.isIp(domain)) return domain;
domain = this.normalize(domain);
var pos = domain.search(this._tldEx);
if(pos === -1 ) {
pos = domain.search(this._tldRx);
if (pos === -1) {
// TLD not in the public suffix list, fall back to the "one-dot rule"
pos = domain.lastIndexOf(".");
if (pos === -1) {
return "";
}
}
pos = domain.lastIndexOf(".", pos - 1) + 1;
} else if(domain[pos] == ".") {
++pos;
}
return pos <= 0 ? domain : domain.substring(pos);
},
getPublicSuffix(domain) {
if (this.isIp(domain)) return "";
domain = this.normalize(domain);
var pos = domain.search(this._tldEx);
if(pos < 0) {
pos = domain.search(this._tldRx);
if(pos >= 0 && domain[pos] == ".") pos++;
} else {
pos = domain.indexOf(".", pos + 1) + 1;
}
return pos < 0 ? "" : domain.substring(pos);
},
_ipRx: /^(?:0\.|[1-9]\d{0,2}\.){3}(?:0|[1-9]\d{0,2})$|:.*:/i,
_tldRx: /(?:\.|^)%tld_rx%$/
,
_tldEx: /(?:\.|^)%tld_ex%$/
}

3
TLD/try.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
perl -ne 'if (! /^(\/\/|!|[ \n\r])/) { s/\n/\|/; s/\./\\\./g ; s/\*\\\./[^\\.]+\\./; s/\s+utf.*/|/; print }' *.dat > tld_rx.txt
perl -ne 'if (/^!/) { s/\n/\|/; s/\./\\\./g ; s/^!//; s/\s+utf.*/|/; print }' *.dat > tld_ex.txt

60
build.sh Normal file
View File

@ -0,0 +1,60 @@
#!/bin/bash
BASE=$PWD
SRC="$BASE/src"
BUILD="$BASE/build"
MANIFEST_IN="$SRC/manifest.json"
MANIFEST_OUT="$BUILD/manifest.json"
VER=$(grep '"version":' "$SRC/manifest.json" | sed -re 's/.*": "(.*?)".*/\1/')
XPI_DIR="$BASE/xpi"
XPI="$XPI_DIR/noscript-$VER"
LIB="$SRC/lib"
TLD="$BASE/TLD"
if ! [ $(date -r "$LIB/tld.js" +'%Y%m%d') -ge $(date +'%Y%m%d') ] && "$TLD/generate.sh"; then
cp -u "$TLD/tld.js" $LIB
fi
./html5_events.pl
rm -rf $BUILD $XPI
cp -pR $SRC $BUILD
if [[ $VER == *rc* ]]; then
sed -re 's/^(\s+)"strict_min_version":.*$/\1"update_url": "https:\/\/secure.informaction.com\/update\/?v='$VER'",\n\0/' \
"$MANIFEST_IN" > "$MANIFEST_OUT"
else
grep -v '"update_url":' "$MANIFEST_IN" > "$MANIFEST_OUT"
fi
if ! grep '"id":' "$MANIFEST_OUT" >/dev/null; then
echo >&2 "Cannot build manifest.json"
exit 1
fi
sed -re 's/\/\/\s*(.*)\s*\/\/ XPI_ONLY/\1/' $SRC/content/content.js > $BUILD/content/content.js
if [ "$1" == "sign" ]; then
BUILD_CMD="$BASE/../../we-sign"
BUILD_OPTS=""
else
BUILD_CMD="web-ext"
BUILD_OPTS="build"
fi
echo "Creating $XPI.xpi..."
mkdir -p $XPI_DIR
"$BUILD_CMD" $BUILD_OPTS --source-dir=$(cygpath -w $BUILD) --artifacts-dir=$(cygpath -w $XPI_DIR) --ignore-files=test/XSS_test.js
SIGNED="$XPI_DIR/noscript_security_suite-$VER-an+fx.xpi"
if [ -f "$SIGNED" ]; then
mv "$SIGNED" "$XPI.xpi"
elif [ -f "$XPI.zip" ]; then
mv "$XPI.zip" "$XPI.xpi"
else
echo >&2 "ERROR: Could not create $XPI.xpi!"
exit 3
fi
echo "Created $XPI.xpi"
rm -rf "$BUILD"

99
html5_events.pl Normal file
View File

@ -0,0 +1,99 @@
#!/usr/bin/perl
use strict;
require LWP::UserAgent;
use LWP::Simple;
use RegExp::List;
use File::stat;
use File::Basename;
use List::MoreUtils qw(uniq);
my $HTML5_URL = "https://hg.mozilla.org/mozilla-central/raw-file/tip/parser/html/nsHtml5AtomList.h";
my $GECKO_URL = "https://hg.mozilla.org/mozilla-central/raw-file/tip/xpcom/ds/nsGkAtomList.h";
my $HERE = dirname($0);
my $SOURCE_FILE = $HERE . '/src/xss/InjectionChecker.js';
sub create_re
{
my $cache = "$HERE/html5_events.re";
my $sb = stat($cache);
if ($sb && time() - $sb->mtime < 86400)
{
open IN, "<$cache";
my @content = <IN>;
close IN;
return $content[0];
}
sub fetch_url
{
my $url = shift(@_);
my $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0');
$ua->ssl_opts('verify_hostname' => 0);
my $res = $ua->get($url);
if ($res->is_success)
{
return $res->decoded_content;
}
else
{
my $err = $res->content;
my $ca_file = $ua->ssl_opts('SSL_ca_file');
die ("Could not fetch $url: $err\n$ca_file");
}
}
my $content = # fetch_url($HTML5_URL) .
fetch_url($GECKO_URL);
$content = join("\n", grep(/^(?:HTML5|GK)_ATOM.*"on\w+"/, split(/[\n\r]/, $content)));
$content =~ s/.*"(on\w+)".*/$1 /g;
$content =~ s/\s+/ /g;
$content =~ s/^\s+|\s+$//g;
my $l = Regexp::List->new;
my $re = $l->list2re(uniq(split(' ', $content)));
$re =~ s/\(\?[-^]\w+:(.*)\)/$1/;
open (OUT, ">$cache");
print OUT $re;
close OUT;
$re;
}
sub patch
{
my $src = shift;
my $dst = "$src.tmp";
my $re = create_re();
my $must_replace = 0;
print "Patching $src...\n";
open IN, "<$src" or die ("Can't open $src!");
open OUT, ">$dst" or die ("Can't open $dst!");
while (<IN>)
{
my $line = $_;
$must_replace = $line ne $_ if s/^(\s*const IC_EVENT_PATTERN\s*=\s*")([^"]+)/$1$re/;
print OUT $_;
}
close IN;
close OUT;
if ($must_replace) {
rename $dst, $src;
print "Patched.\n";
}
else
{
unlink $dst;
print "Nothing to do.\n";
}
}
patch($SOURCE_FILE);

1
html5_events.re Normal file
View File

@ -0,0 +1 @@
on(?:p(?:o(?:inter(?:l(?:ock(?:change|error)|eave)|o(?:ver|ut)|cancel|enter|down|move|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n)|positioned)|state))|a(?:ge(?:hide|show)|(?:st|us)e)|ush(?:subscriptionchange)?|ro(?:cessorerror|gress)|lay(?:ing)?|hoto)|Moz(?:S(?:wipeGesture(?:(?:May)?Start|Update|End)?|crolledAreaChanged)|M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|m(?:o(?:z(?:pointerlock(?:change|error)|fullscreen(?:change|error)|key(?:down|up)onplugin|accesskeynotfound|orientationchange)|use(?:l(?:ongtap|eave)|o(?:ver|ut)|enter|wheel|down|move|up))|(?:idimessag|ut)e|essage(?:error)?|ark)|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rollerchange|extmenu)|nect(?:ionavailable)?)|py)|h(?:(?:arging(?:time)?ch)?ange|ecking)|a(?:n(?:play(?:through)?|cel)|ched)|u(?:echange|t)|l(?:ick|ose))|s(?:ou(?:rce(?:(?:clos|end)ed|open)|nd(?:start|end))|e(?:lect(?:ionchange|start)?|ek(?:ing|ed)|t)|h(?:ipping(?:address|option)change|ow)|t(?:a(?:techange|lled|rt)|o(?:rage|p))|u(?:ccess|spend|bmit)|peech(?:start|end)|croll)|d(?:r(?:a(?:g(?:e(?:n(?:ter|d)|xit)|leave|start|drop|over)?|in)|op)|evice(?:(?:orienta|mo)tion|proximity|change|light)|(?:ischargingtime|uration)change|ata(?:available)?|ownloading|blclick)|a(?:nimation(?:iteration|cancel|start|end)|u(?:dio(?:process|start|end)|xclick)|b(?:solutedeviceorientation|ort)|fter(?:scriptexecute|print)|dd(?:sourcebuffer|track)|ppinstalled|ctivate)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:ourcetimingbufferfull|ponseprogress|u(?:lt|me)|ize|et)|move(?:sourcebuffer|track)|adystatechange|pea(?:tEven)?t|questprogress)|atechange)|w(?:ebkit(?:Animation(?:Iteration|Start|End)|animation(?:iteration|start|end)|(?:TransitionE|transitione)nd)|a(?:iting(?:forkey)?|rning)|heel)|v(?:rdisplay(?:(?:presentchang|activat)e|d(?:eactivate|isconnect)|connect)|o(?:iceschanged|lumechange)|(?:isibility|ersion)change)|b(?:e(?:fore(?:p(?:aste|rint)|scriptexecute|c(?:opy|ut)|unload)|gin(?:Event)?)|ufferedamountlow|l(?:ocked|ur)|roadcast|oundary)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|ransition(?:cancel|start|end|run)|ime(?:update|out)|e(?:rminate|xt)|ypechange)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|ing(?:error|done)?|start)?|stpointercapture)|(?:anguage|evel)change|y)|u(?:p(?:date(?:(?:fou|e)nd|ready|start)?|gradeneeded)|n(?:derflow|load|mute)|serproximity)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|otpointercapture|et)|o(?:(?:rientationchang|(?:ff|n)lin|bsolet)e|verflow|pen)|e(?:n(?:d(?:Event|ed)?|crypted|ter)|mptied|rror|xit)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?|inish)|no(?:tificationcl(?:ick|ose)|update|match)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|key(?:statuseschange|press|down|up)|(?:CheckboxStateC|hashc)hange|R(?:adioStateChange|equest)|in(?:stall|valid|put)|AppCommand|zoom)

675
src/_locales/en/messages.json Normal file
View File

@ -0,0 +1,675 @@
{
"Add": {
"message": "Add"
},
"Add_accesskey": {
"message": "A"
},
"AdditionalPermissions": {
"message": "Additional permissions for trusted sites"
},
"AdditionalRestrictions": {
"message": "Additional restrictions for untrusted sites"
},
"SectionAdvanced": {
"message": "Advanced"
},
"Allow": {
"message": "Allow"
},
"Allow_accesskey": {
"message": "l"
},
"AllowBookmarks": {
"message": "Allow sites opened through bookmarks"
},
"AllowClipboard": {
"message": "Allow rich text copy and paste from external clipboard"
},
"AllowLocalLinks": {
"message": "Allow local links"
},
"AllowPage": {
"message": "Allow all this page"
},
"AllowPage_accesskey": {
"message": "A"
},
"AllowPing": {
"message": "Allow <A PING…>"
},
"AllowViaBookmarks": {
"message": "Allow sites opened through bookmarks"
},
"AlwaysBlockUntrustedContent": {
"message": "Block every object coming from a site marked as untrusted"
},
"SectionAppearance": {
"message": "Appearance"
},
"AutoAllowTopLevel": {
"message": "Temporarily set top-level sites to TRUSTED"
},
"AutoReload": {
"message": "Automatically reload affected pages when permissions change"
},
"AutoReload_currentTab": {
"message": "Reload the current tab only"
},
"BaseDom": {
"message": "Base 2nd level Domains (noscript.net)"
},
"BlockedItems": {
"message": "Blocked $1 of $2 items."
},
"BlockedObjects": {
"message": "NoScript Blocked Objects"
},
"BookmarkSync": {
"message": "Backup NoScript configuration in a bookmark for easy synchronization"
},
"Cancel": {
"message": "Cancel"
},
"CascadePermissions": {
"message": "Cascade top document's permissions to 3rd party scripts"
},
"ClearClickDescription": {
"message": "NoScript intercepted a mouse or keyboard interaction with a partially hidden element. Click on the image below to cycle between the obstructed and the clear version."
},
"ClearClickHeader": {
"message": "Potential Clickjacking / UI Redressing Attempt!"
},
"ClearClickOpt": {
"message": "ClearClick protection on pages…"
},
"ClearClickReport": {
"message": "Report"
},
"ClearClickReport_accesskey": {
"message": "R"
},
"ClearClickReportId": {
"message": "Report ID:"
},
"ClearClickTitle": {
"message": "ClearClick Warning"
},
"Close": {
"message": "Close"
},
"CollapseBlockedObjects": {
"message": "Collapse blocked objects"
},
"ConfirmUnblock": {
"message": "Ask for confirmation before temporarily unblocking an object"
},
"ContentBlocker": {
"message": "Apply these restrictions to whitelisted sites too"
},
"CtxMenu": {
"message": "Contextual menu"
},
"Custom": {
"message": "Custom"
},
"CustomizePresets": {
"message": "Preset customization (for all the sites sharing a preset)"
},
"Default": {
"message": "Default"
},
"DefaultPolicies": {
"message": "Default Policies"
},
"Description": {
"message": "Extra protection for your Firefox: NoScript allows JavaScript, Flash (and other plugins) only for trusted domains of your choice (e.g. your home-banking web site). This whitelist based pre-emptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality… Experts will agree: Firefox is really safer with NoScript :-)"
},
"Donate": {
"message": "Donate"
},
"Donate_accesskey": {
"message": "o"
},
"Embeddings": {
"message": "Embeddings"
},
"Exceptions": {
"message": "Exceptions…"
},
"Export": {
"message": "Export"
},
"Export_accesskey": {
"message": "E"
},
"FixLinks": {
"message": "Attempt to fix JavaScript links"
},
"Hider": {
"message": "Drop here to hide."
},
"Reveal": {
"message": "Click here to retrieve missing buttons…"
},
"ShowFullAddresses": {
"message": "List full addresses in the permissions popup (https://www.noscript.net)"
},
"SectionGeneral": {
"message": "General"
},
"GlobalHttpsWhitelist": {
"message": "Allow HTTPS scripts globally on HTTPS documents"
},
"NotEnforced": {
"message": "Restrictions disabled"
},
"NoEnforcement": {
"message": "Disable restrictions globally (dangerous)"
},
"Enforce": {
"message": "Enable restrictions globally"
},
"NoEnforcementForTab": {
"message": "Disable restrictions for this tab"
},
"EnforceForTab": {
"message": "Enable restrictions for this tab"
},
"httpsOnly": {
"message": "Match HTTPS content only"
},
"Https": {
"message": "HTTPS"
},
"Https_always": {
"message": "Always"
},
"Https_behavior": {
"message": "Behavior"
},
"Https_cookies": {
"message": "Cookies"
},
"Https_description": {
"message": "Forbid active web content unless it comes from a secure (HTTPS) connection:"
},
"Https_never": {
"message": "Never"
},
"Https_proxy": {
"message": "When using a proxy (recommended with Tor)"
},
"HttpsFaq": {
"message": "HTTPS FAQ…"
},
"HttpsFaq_accesskey": {
"message": "Q"
},
"HttpsForced": {
"message": "Force the following sites to use secure (HTTPS) connections:"
},
"HttpsForcedExceptions": {
"message": "Never force secure (HTTPS) connections for the following sites:"
},
"Import": {
"message": "Import"
},
"Import_accesskey": {
"message": "I"
},
"KeepLocked": {
"message": "Keep this element locked (recommended)"
},
"MatchSample": {
"message": "Pattern matching sample:"
},
"Next": {
"message": "Next"
},
"NoUntrustedPlaceholder": {
"message": "No placeholder for objects coming from sites marked as untrusted"
},
"Notifications": {
"message": "Notifications"
},
"Notify": {
"message": "Show message about blocked scripts"
},
"Notify_bottom": {
"message": "Place message at the bottom"
},
"NotifyMeta": {
"message": "Show message about blocked META redirections"
},
"NotifyMeta_accesskey": {
"message": "R"
},
"NselForce": {
"message": "Show the <NOSCRIPT> element which follows a blocked <SCRIPT>"
},
"NselNever": {
"message": "Hide <NOSCRIPT> elements"
},
"OK": {
"message": "OK"
},
"OptBlockCssScanners": {
"message": "Block CSS-based scanners"
},
"OptFilterXGet": {
"message": "Sanitize cross-site suspicious requests"
},
"OptFilterXPost": {
"message": "Turn cross-site POST requests into data-less GET requests"
},
"Options": {
"message": "Options…"
},
"Options_accesskey": {
"message": "O"
},
"OptionsLong": {
"message": "NoScript Options"
},
"OptionsWidth": {
"message": "40em"
},
"PermanentInPrivate": {
"message": "Permanent \"Allow\" commands in private windows"
},
"SectionSitePermissions": {
"message": "Per-site Permissions"
},
"PermissionsText": {
"message": "You can specify which web sites are allowed to execute scripts. Type the address or the domain (e.g. \"http://www.site.com\" or \"site.com\") of the site you want to allow and then click Allow."
},
"Plugins": {
"message": "Plugins"
},
"Policies": {
"message": "Policies"
},
"Preset": {
"message": "Security Level"
},
"Preset_high": {
"message": "Fortress (Full lockdown)"
},
"Preset_low": {
"message": "Easy going (Blacklist + Web Security)"
},
"Preset_medium": {
"message": "Classic (Whitelist + Web Security)"
},
"Preset_off": {
"message": "Off (are you serious?!)"
},
"Prev": {
"message": "Previous"
},
"RecentBlocked": {
"message": "Recently blocked sites"
},
"Refresh": {
"message": "Refresh"
},
"ReloadWarn": {
"message": "These options will take effect on new or (manually) reloaded pages"
},
"RemoveSelected": {
"message": "Remove Selected Sites"
},
"Reset": {
"message": "Reset"
},
"Reset_accesskey": {
"message": "s"
},
"ResetDef": {
"message": "Reset to Default"
},
"ResetDef_accesskey": {
"message": "D"
},
"RestrictSubdocScripting": {
"message": "Block scripting in whitelisted subdocuments of non-whitelisted pages"
},
"RevokeTemp": {
"message": "Revoke Temporary Permissions"
},
"RevokeTemp_accesskey": {
"message": "R"
},
"SecureCookies": {
"message": "Enable Automatic Secure Cookies Management"
},
"SecureCookiesExceptions": {
"message": "Ignore unsafe cookies set over HTTPS by the following sites:"
},
"SecureCookiesForced": {
"message": "Force encryption for all the cookies set over HTTPS by the following sites:"
},
"SecurityManager": {
"message": "Security Manager"
},
"Show": {
"message": "Show…"
},
"ShowConsole": {
"message": "Show Console…"
},
"ShowConsole_accesskey": {
"message": "S"
},
"ShowPlaceholder": {
"message": "Show placeholder icon"
},
"ShowReleaseNotes": {
"message": "Display the release notes on updates"
},
"ShowCtxMenuItem": {
"message": "Show NoScript contextual menu item"
},
"ShowCountBadge": {
"message": "Display script count badge"
},
"SitePermissions": {
"message": "Site Permissions"
},
"SitePermissions_accessKey": {
"message": "S"
},
"SitePolicies": {
"message": "Site Specific Policies"
},
"TempTrustPage": {
"message": "Set all on this page to Temporarily TRUSTED"
},
"TempTrustPage_accesskey": {
"message": "T"
},
"TempToPerm": {
"message": "Make page permissions permanent"
},
"TempToPerm_accesskey": {
"message": "M"
},
"Trust": {
"message": "Mark as Trusted"
},
"Trust_accesskey": {
"message": "T"
},
"Trusted": {
"message": "Trusted"
},
"Trusted_temporary": {
"message": "Temp. TRUSTED"
},
"Trusted_permanent": {
"message": "TRUSTED"
},
"TrustedPagesAdj": {
"message": "trusted"
},
"Uninstall": {
"message": "Uninstall"
},
"Unknown": {
"message": "Unknown"
},
"UnsafeReload": {
"message": "Unsafe Reload"
},
"UnsafeReload_accesskey": {
"message": "R"
},
"Untrust": {
"message": "Mark as Untrusted"
},
"Untrust_accesskey": {
"message": "U"
},
"Untrusted": {
"message": "Untrusted"
},
"UntrustedPagesAdj": {
"message": "untrusted"
},
"WebAddress": {
"message": "Search or add a web site:"
},
"WebAddress_accesskey": {
"message": "w"
},
"Whitelist": {
"message": "Whitelist"
},
"XSS_notify": {
"message": "Show XSS notifications"
},
"XSS_clearUserChoices": {
"message": "Clear XSS Choices"
},
"XSS_promptTitle": {
"message": "NoScript XSS Warning"
},
"XSS_promptMessage": {
"message": "NoScript detected a potential Cross-Site Scripting attack\nfrom $1 to $2.\nSuspicious data:\n$3"
},
"XSS_optBlock": {
"message": "Block this request"
},
"XSS_optSanitize": {
"message": "Sanitize this request"
},
"XSS_optAllow": {
"message": "Allow this request"
},
"XSS_optAlwaysAllow": {
"message": "Always allow document requests from $1 to $2"
},
"XSS_optAlwaysBlock": {
"message": "Always block document requests from $1 to $2"
},
"Xss": {
"message": "XSS"
},
"Xss_accesskey": {
"message": "X"
},
"XssExceptions": {
"message": "Anti-XSS Protection Exceptions"
},
"XssExceptions_description": {
"message": "Destinations matching these regular expressions will NOT be protected against XSS."
},
"XssFaq": {
"message": "XSS FAQ…"
},
"XssFaq_accesskey": {
"message": "Q"
},
"about": {
"message": "About $1"
},
"allowFrom": {
"message": "Allow all from $1"
},
"allowGlobal": {
"message": "Disable all the permissions checks (dangerous)"
},
"allowLocal": {
"message": "Allow $1"
},
"allowTemp": {
"message": "Temporarily allow $1"
},
"allowTempFrom": {
"message": "Temporarily allow all from $1"
},
"allowed_no": {
"message": "Scripts Currently Forbidden"
},
"allowed_prt": {
"message": "Scripts Partially Allowed"
},
"allowed_yes": {
"message": "Scripts Currently Allowed"
},
"alwaysAsk": {
"message": "Always ask for confirmation"
},
"audio_samples": {
"message": "Audio samples"
},
"bookmarkSync_confirm": {
"message": "NoScript has found a configuration bookmark seemingly saved on\n$1.\nDo you really want to overwrite your local NoScript configuration with this bookmark's content?"
},
"bookmarkSync_message": {
"message": "This bookmark is NOT meant to be opened, but to be synchronized using a service such as Weave or the XMarks extension."
},
"bookmarkSync_title": {
"message": "NoScript Configuration Bookmark"
},
"cap_script": {
"message": "script"
},
"cap_frame": {
"message": "frame"
},
"cap_object": {
"message": "object"
},
"cap_media": {
"message": "media"
},
"cap_font": {
"message": "font"
},
"cap_webgl": {
"message": "webgl"
},
"cap_fetch": {
"message": "fetch"
},
"cap_other": {
"message": "other"
},
"changelog": {
"message": "Changelog"
},
"changelog_tip": {
"message": "Show changelog"
},
"confirm": {
"message": "Are you sure?"
},
"disable": {
"message": "Disable $1"
},
"disable_accessKey": {
"message": "D"
},
"distrust": {
"message": "Mark $1 as Untrusted"
},
"extensionContributors": {
"message": "Contributors:"
},
"extensionContributors_tip": {
"message": "People you should thank for this extension"
},
"extensionCreator_tip": {
"message": "Visit author home page"
},
"extensionCreatorLabel": {
"message": "Author:"
},
"extensionHomepage_tip": {
"message": "Visit extension home page"
},
"forbidGlobal": {
"message": "Forbid Scripts Globally (advised)"
},
"forbidLocal": {
"message": "Forbid $1"
},
"freshInstallReload": {
"message": "In order to operate on this tab, NoScript needs to reload it.\nProceed?"
},
"privilegedPage": {
"message": "This is a privileged page, whose permissions cannot be configured."
},
"incompatibleOptions": {
"message": "\"$1\"\nis incompatible with \"$2\".\nDo you want to enable the former and disable the latter?"
},
"incompatibleOptions_title": {
"message": "Incompatible Options Warning"
},
"informaction_tip": {
"message": "Visit InformAction home page"
},
"license": {
"message": "License"
},
"license_tip": {
"message": "Read end-user license"
},
"logo_tip": {
"message": "Visit extension home page"
},
"metaRefresh_notify": {
"message": "NoScript blocked a <META> redirection inside a <NOSCRIPT> element: $1 in $2 seconds."
},
"Reload": {
"message": "Reload"
},
"removal_message": {
"message": "By disabling or uninstalling NoScript, you give up ALL the protections provided by NoScript.\n\nIf you're just tired of handling script permissions site by site, there's a safer choice.\n\nNoScript can stop blocking scripts, except those you mark as untrusted, while still protecting you with the most advanced security countermeasures against XSS, Clickjacking, CSRF and other web threats.\n\nDo you really want to remove ALL the NoScript protections?\n"
},
"removal_no": {
"message": "No, just stop blocking scripts"
},
"removal_title": {
"message": "Security Downgrade Warning"
},
"removal_yes": {
"message": "Yes, remove ALL protections"
},
"reset_title": {
"message": "NoScript Reset"
},
"reset_warning": {
"message": "ALL the NoScript preferences and site permissions will be reset to their default values immediately.\nThis action cannot be reverted.\nDo you want to continue?"
},
"siteInfo_confirm": {
"message": "You're about to ask for information about the \"$1\" site\nby submitting a query to $2.\nDo you want to continue?"
},
"siteInfo_tooltip": {
"message": "Middle-click or shift+click for site info..."
},
"sponsor_tip": {
"message": "Visit sponsor home page"
},
"unsafeReload_warning": {
"message": "UNSAFELY reloading a suspicious\n\n$1 [$2]\n\nFROM [$3]\n\nNoScript will NOT protect this request!\n"
},
"untrustedOrigin": {
"message": "an untrusted origin"
},
"version": {
"message": "Version $1"
},
"versionShort": {
"message": "v $1"
}
}

549
src/bg/RequestGuard.js Normal file
View File

@ -0,0 +1,549 @@
var RequestGuard = (() => {
'use strict';
const VERSION_LABEL = `NoScript ${browser.runtime.getManifest().version}`;
browser.browserAction.setTitle({title: VERSION_LABEL});
const REPORT_URI = "https://noscript-csp.invalid/__NoScript_Probe__/";
const REPORT_GROUP = "NoScript-Endpoint";
const REPORT_TO = {
name: "Report-To",
value: JSON.stringify({ "url": REPORT_URI,
"group": REPORT_GROUP,
"max-age": 10886400 }),
};
const CSP = {
name: "content-security-policy",
start: `report-uri ${REPORT_URI};`,
end: `;report-to ${REPORT_URI};`,
isMine(header) {
let {name, value} = header;
if (name.toLowerCase() !== CSP.name) return false;
let startIdx = value.indexOf(this.start);
return startIdx > -1 && startIdx < value.lastIndexOf(this.end);
},
inject(headerValue, mine) {
let startIdx = headerValue.indexOf(this.start);
if (startIdx < 0) return `${headerValue};${mine}`;
let endIdx = headerValue.lastIndexOf(this.end);
let retValue = `${headerValue.substring(0, startIdx)}${mine}`;
return endIdx < 0 ? retValue : `${retValue}${headerValue.substring(endIdx + this.end.length + 1)}`;
},
create(...directives) {
return `${this.start}${directives.join(';')}${this.end}`;
},
createBlocker(...types) {
return this.create(...(types.map(type => `${type.name || type}-src ${type.value || "'none'"}`)));
},
blocks(header, type) {
return header.includes(`;${type}-src 'none';`)
},
types: ["script", "object", "media"],
};
const policyTypesMap = {
main_frame: "",
sub_frame: "frame",
script: "script",
xslt: "script",
xbl: "script",
font: "font",
object: "object",
object_subrequest: "fetch",
xmlhttprequest: "fetch",
ping: "ping",
beacon: "ping",
media: "media",
other: "",
};
const allTypes = Object.keys(policyTypesMap);
Object.assign(policyTypesMap, {"webgl": "webgl"}); // fake types
const FORBID_DATAURI_TYPES = ["font", "media", "object"];
const TabStatus = {
map: new Map(),
types: ["script", "object", "media", "frame", "font"],
newRecords() {
return {
allowed: {},
blocked: {},
noscriptFrames: {},
}
},
initTab(tabId, records = this.newRecords()) {
this.map.set(tabId, records);
return records;
},
_record(request, what, optValue) {
let {tabId, frameId, type, url, documentUrl} = request;
let policyType = policyTypesMap[type] || type;
let requestKey = Policy.requestKey(url, documentUrl, policyType);
let map = this.map;
let records;
if (map.has(tabId)) {
records = map.get(tabId);
} else {
records = this.initTab(tabId);
}
if (what === "noscriptFrame") {
let nsf = records.noscriptFrames;
if (frameId in nsf) {
return null;
}
nsf[frameId] = optValue;
what = optValue ? "blocked" : "allowed";
if (frameId === 0) {
request.type = type = "main_frame";
Content.reportTo(request, optValue, type);
}
}
let collection = records[what];
if (type in collection) {
if (!collection[type].includes(requestKey)) {
collection[type].push(requestKey);
}
} else {
collection[type] = [requestKey];
}
return records;
},
record(request, what, optValue) {
let records = this._record(request, what, optValue);
if (records) {
this.updateTab(request.tabId);
}
},
_pendingTabs: new Set(),
updateTab(tabId) {
if (this._pendingTabs.size === 0) {
window.setTimeout(() => { // clamp UI updates
for (let tabId of this._pendingTabs) {
this._updateTabNow(tabId);
}
this._pendingTabs.clear();
}, 200);
}
this._pendingTabs.add(tabId);
},
_updateTabNow(tabId) {
this._pendingTabs.delete(tabId);
let records = this.map.get(tabId) || this.initTab(tabId);
let {allowed, blocked, noscriptFrames} = records;
let topAllowed = !(noscriptFrames && noscriptFrames[0]);
let numAllowed = 0, numBlocked = 0, sum = 0;
let report = this.types.map(t => {
let a = allowed[t] && allowed[t].length || 0, b = blocked[t] && blocked[t].length || 0, s = a + b;
numAllowed+= a, numBlocked += b, sum += s;
return s && `<${t === "sub_frame" ? "frame" : t}>: ${b}/${s}`;
}).filter(s => s).join("\n");
let enforced = ns.isEnforced(tabId);
let icon = topAllowed ?
(numBlocked ? "part"
: enforced ? "yes" : "global")
: (numAllowed ? "sub" : "no");
let showBadge = ns.local.showCountBadge && numBlocked > 0;
let browserAction = browser.browserAction;
browserAction.setIcon({tabId, path: {64: `/img/ui-${icon}64.png`}});
browserAction.setBadgeText({tabId, text: showBadge ? numBlocked.toString() : ""});
browserAction.setBadgeBackgroundColor({tabId, color: [255, 0, 0, 128]});
browserAction.setTitle({tabId,
title: `${VERSION_LABEL} \n${enforced ?
_("BlockedItems", [numBlocked, numAllowed + numBlocked]) + ` \n${report}`
: _("NotEnforced")}`
});
},
totalize(sum, value) {
return sum + value;
},
async probe(tabId) {
if (tabId === undefined) {
(await browser.tabs.query({})).forEach(tab => TabStatus.probe(tab.id));
} else {
try {
TabStatus.recordAll(tabId, await ns.collectSeen(tabId));
} catch (e) {
error(e);
}
}
},
recordAll(tabId, seen) {
if (seen) {
let records = TabStatus.map.get(tabId);
if (records) {
records.allowed = {};
records.blocked = {};
}
for (let thing of seen) {
thing.request.tabId = tabId;
TabStatus._record(thing.request, thing.allowed ? "allowed" : "blocked");
}
this._updateTabNow(tabId);
}
},
async onActivatedTab(info) {
let {tabId} = info;
let seen = await ns.collectSeen(tabId);
TabStatus.recordAll(tabId, seen);
},
onRemovedTab(tabId) {
TabStatus.map.delete(tabId);
},
}
browser.tabs.onActivated.addListener(TabStatus.onActivatedTab);
browser.tabs.onRemoved.addListener(TabStatus.onRemovedTab);
if (!("setIcon" in browser.browserAction)) { // unsupported on Android
TabStatus._updateTabNow = TabStatus.updateTab = () => {};
}
const Content = {
async hearFrom(message, sender) {
debug("Received message from content", message, sender);
switch (message.type) {
case "pageshow":
TabStatus.recordAll(sender.tab.id, message.seen);
return true;
case "enable":
let {url, documentUrl, policyType} = message;
let TAG = `<${policyType.toUpperCase()}>`;
let origin = Sites.origin(url);
let {siteKey} = Sites.parse(url);
let options;
if (siteKey === origin) {
TAG += `@${siteKey}`;
} else {
options = [
{label: _("allowLocal", siteKey), checked: true},
{label: _("allowLocal", origin)}
];
}
// let parsedDoc = Sites.parse(documentUrl);
let t = u => `${TAG}@${u}`;
let ret = await Prompts.prompt({
title: _("BlockedObjects"),
message: _("allowLocal", TAG),
options});
debug(`Prompt returned %o`);
if (ret.button !== 0) return;
let key = [siteKey, origin][ret.option || 0];
if (!key) return;
let {siteMatch, contextMatch, perms} = ns.policy.get(key, documentUrl);
let {capabilities} = perms;
if (!capabilities.has(policyType)) {
perms = new Permissions(new Set(capabilities), false);
perms.capabilities.add(policyType);
/* TODO: handle contextual permissions
if (documentUrl) {
let context = new URL(documentUrl).origin;
let contextualSites = new Sites([context, perms]);
perms = new Permissions(new Set(capabilities), false, contextualSites);
}
*/
ns.policy.set(key, perms);
ns.savePolicy();
}
return true;
case "canScript":
let records = TabStatus.map.get(sender.tab.id);
debug("Records.noscriptFrames %o, canScript: %s", records && records.noscriptFrames, !(records && records.noscriptFrames[sender.frameId]));
return !(records && records.noscriptFrames[sender.frameId]);
}
},
async reportTo(request, allowed, policyType) {
let {requestId, tabId, frameId, type, url, documentUrl, originUrl} = request;
let pending = pendingRequests.get(requestId); // null if from a CSP report
let initialUrl = pending ? pending.initialUrl : request.url;
request = {
key: Policy.requestKey(url, type, documentUrl || "", /^(media|object|frame)$/.test(type)),
type, url, documentUrl, originUrl
};
if (tabId < 0) return;
if (pending) request.initialUrl = pending.initialUrl;
try {
browser.tabs.sendMessage(
tabId,
{type: "seen", request, allowed, policyType, ownFrame: true},
{frameId}
);
} catch (e) {
debug(`Couldn't deliver "seen" message for ${type}@${url} ${allowed ? "A" : "F" } to document ${documentUrl} (${frameId}/${tabId}`, e);
}
if (frameId === 0) return;
try {
browser.tabs.sendMessage(
tabId,
{type: "seen", request, allowed, policyType},
{frameId: 0}
);
} catch (e) {
debug(`Couldn't deliver "seen" message to top frame containing ${documentUrl} (${frameId}/${tabId}`, e);
}
}
};
browser.runtime.onMessage.addListener(Content.hearFrom);
const pendingRequests = new Map();
function initPendingRequest(request) {
let {requestId, url} = request;
let redirected = pendingRequests.get(requestId);
let initialUrl = redirected ? redirected.initialUrl : url;
pendingRequests.set(requestId, {
url, redirected,
onCompleted: new Set(),
});
return redirected;
}
const ABORT = {cancel: true}, ALLOW = {};
const listeners = {
onBeforeRequest(request) {
try {
let redirected = initPendingRequest(request);
let {policy} = ns;
let policyType = policyTypesMap[request.type];
if (policyType) {
let {url, originUrl, documentUrl} = request;
if (("fetch" === policyType || "frame" === policyType) &&
(url === originUrl && originUrl === documentUrl ||
/^(?:chrome|resource|moz-extension|about):/.test(originUrl))
) {
// livemark request or similar browser-internal, always allow;
return ALLOW;
}
if (/^(?:data|blob):/.test(url)) {
request._dataUrl = url;
request.url = url = documentUrl;
}
let allowed = !ns.isEnforced(request.tabId) ||
policy.can(url, policyType, originUrl);
Content.reportTo(request, allowed, policyType);
if (!allowed) {
debug(`Blocking ${policyType}`, request);
TabStatus.record(request, "blocked");
return ABORT;
}
}
} catch (e) {
error(e);
}
return ALLOW;
},
async onHeadersReceived(request) {
// called for main_frame, sub_frame and object
debug("onHeadersReceived", request);
try {
let header, blocker;
let responseHeaders = request.responseHeaders;
let content = {}
for (let h of responseHeaders) {
if (CSP.isMine(h)) {
header = h;
h.value = CSP.inject(h.value, "");
} else if (/^\s*Content-(Type|Disposition)\s*$/i.test(h.name)) {
content[h.name.split("-")[1].trim().toLowerCase()] = h.value;
}
}
if (ns.isEnforced(request.tabId)) {
let policy = ns.policy;
let perms = policy.get(request.url, request.documentUrl).perms;
if (policy.autoAllowTop && request.frameId === 0 && perms === policy.DEFAULT) {
policy.set(Sites.optimalKey(request.url), perms = policy.TRUSTED.tempTwin);
}
let {capabilities} = perms;
let canScript = capabilities.has("script");
let blockedTypes;
let forbidData = FORBID_DATAURI_TYPES.filter(t => !capabilities.has(t));
if (!content.disposition &&
(!content.type || /^\s*(?:video|audio|application)\//.test(content.type))) {
debug(`Suspicious content type "%s" in request %o with capabilities %o`,
content.type, request, capabilities);
blockedTypes = CSP.types.filter(t => !capabilities.has(t));
} else if(!canScript) {
blockedTypes = ["script"];
forbidData.push("object"); // data: URIs loaded in objects may run scripts
}
for (let type of forbidData) { // object, font, media
// HTTP is blocked in onBeforeRequest, let's allow it only and block
// for instance data: and blob: URIs
let dataBlocker = {name: type, value: "http: https:"};
if (blockedTypes) blockedTypes.push(dataBlocker)
else blockedTypes = [dataBlocker];
}
debug("Blocked types", blockedTypes);
if (blockedTypes && blockedTypes.length) {
blocker = CSP.createBlocker(...blockedTypes);
}
if (canScript) {
if (!capabilities.has("webgl")) {
await RequestUtil.executeOnStart(request, {
file: "/content/webglHook.js"
});
}
if (!capabilities.has("media")) {
await RequestUtil.executeOnStart(request, {
code: "window.mediaBlocker = true;"
});
}
await RequestUtil.executeOnStart(request, {
file: "content/media.js"
});
}
}
debug(`CSP blocker:`, blocker);
if (blocker) {
if (header) {
header.value = CSP.inject(header.value, blocker);
} else {
header = {name: CSP.name, value: blocker};
responseHeaders.push(header);
}
}
if (header) return {responseHeaders};
} catch (e) {
error(e, "Error in onHeadersReceived", uneval(request));
}
return ALLOW;
},
onResponseStarted(request) {
if (request.type === "main_frame") {
TabStatus.initTab(request.tabId);
}
let scriptBlocked = request.responseHeaders.some(
h => CSP.isMine(h) && CSP.blocks(h.value, "script")
);
debug("%s scriptBlocked=%s setting noscriptFrame on ", request.url, scriptBlocked, request.tabId, request.frameId);
TabStatus.record(request, "noscriptFrame", scriptBlocked);
pendingRequests.get(request.requestId).scriptBlocked = scriptBlocked;
},
onCompleted(request) {
let {requestId} = request;
if (pendingRequests.has(requestId)) {
let r = pendingRequests.get(requestId);
pendingRequests.delete(requestId);
for (let callback of r.onCompleted) {
try {
callback(request, r);
} catch (e) {
error(e);
}
}
}
},
onErrorOccurred(request) {
pendingRequests.delete(request.requestId);
}
};
function fakeRequestFromCSP(report, request) {
let type = report["violated-directive"].split("-", 1)[0]; // e.g. script-src 'none' => script
if (type === "frame") type = "sub_frame";
let url = report['blocked-uri'];
if (url === 'self') url = request.documentUrl;
return Object.assign({}, request, {
url,
type,
});
}
async function onViolationReport(request) {
try {
let decoder = new TextDecoder("UTF-8");
const report = JSON.parse(decoder.decode(request.requestBody.raw[0].bytes))['csp-report'];
let csp = report["original-policy"]
debug("CSP report", report);
if (report['blocked-uri'] !== 'self') {
let r = fakeRequestFromCSP(report, request);
Content.reportTo(r, false, policyTypesMap[r.type]);
TabStatus.record(r, "blocked");
} else if (report["violated-directive"] === "script-src 'none'") {
let r = fakeRequestFromCSP(report, request);
TabStatus.record(r, "noscriptFrame", true);
}
} catch(e) {
error(e);
}
return ABORT;
}
const RequestGuard = {
async start() {
let wr = browser.webRequest;
let listen = (what, ...args) => wr[what].addListener(listeners[what], ...args);
let allUrls = ["<all_urls>"];
let docTypes = ["main_frame", "sub_frame", "object"];
listen("onBeforeRequest",
{urls: allUrls, types: allTypes},
["blocking"]
);
listen("onHeadersReceived",
{urls: allUrls, types: docTypes},
["blocking", "responseHeaders"]
);
listen("onResponseStarted",
{urls: allUrls, types: docTypes},
["responseHeaders"]
);
listen("onCompleted",
{urls: allUrls, types: allTypes},
);
listen("onErrorOccurred",
{urls: allUrls, types: allTypes},
);
wr.onBeforeRequest.addListener(onViolationReport,
{urls: [REPORT_URI], types: ["csp_report"]}, ["blocking", "requestBody"]);
TabStatus.probe();
},
stop() {
let wr = browser.webRequest;
for (let [name, listener] of Object.entries(this.listeners)) {
wr[name].removeListener(listener);
}
wr.onBeforeRequest.removeListener(onViolationReport);
}
};
return RequestGuard;
})();

130
src/bg/RequestUtil.js Normal file
View File

@ -0,0 +1,130 @@
'use strict';
{
let runningScripts = new Map();
var RequestUtil = {
async executeOnStart(request, details) {
let {requestId, tabId, frameId} = request;
details = Object.assign({
runAt: "document_start",
frameId,
}, details);
browser.tabs.executeScript(tabId, details);
return;
let filter = browser.webRequest.filterResponseData(requestId);
filter.onstart = event => {
browser.tabs.executeScript(tabId, details);
debug("Execute on start", details);
filter.write(new Uint8Array());
};
filter.ondata = event => {
filter.write(event.data);
filter.disconnect();
}
},
async executeOnStartCS(request, details) {
let {url, requestId, tabId, frameId} = request;
let urlObj = new URL(url);
if (urlObj.hash || urlObj.port || urlObj.username) {
urlObj.hash = urlObj.port = urlObj.username = "";
url = urlObj.toString();
}
let wr = browser.webRequest;
let filter = {
urls: [`${urlObj.origin}/*`],
types: ["main_frame", "sub_frame", "object"]
};
let finalize;
let cleanup = r => {
if (cleanup && r.requestId === requestId) {
wr.onCompleted.removeListener(cleanup);
wr.onErrorOccurred.removeListener(cleanup);
cleanup = null;
if (finalize) {
finalize();
}
}
};
wr.onCompleted.addListener(cleanup, filter);
wr.onErrorOccurred.addListener(cleanup, filter);
details = Object.assign({
runAt: "document_start",
frameId,
}, details);
if (browser.contentScripts) {
let js = [{}];
if (details.file) js[0].file = details.file;
else if (details.code) js[0].code = details.code;
let settings = {
"runAt": details.runAt,
js,
matches: [url],
allFrames: frameId !== 0,
}
// let's try to avoid duplicates
let key = JSON.stringify(settings);
if (runningScripts.has(key)) {
let scriptRef = runningScripts.get(key);
scriptRef.count++;
return;
}
if (settings.allFrames) {
// let's check whether the same script is registered for top frames:
// if it is, let's unregister it first to avoid duplicates
settings.allFrames = false;
let topKey = JSON.stringify(settings);
settings.allFrames = true;
if (runningScripts.has(topKey)) {
let topScript = runningScripts.get(topKey);
try {
topScript.unregister();
} catch (e) {
error(e);
} finally {
runningScripts.delete(topKey);
}
}
}
let script = await browser.contentScripts.register(settings);
debug("Content script %o registered.", settings);
finalize = () => {
debug("Finalizing content script %o...", settings);
try {
script.unregister();
runningScripts.delete(key);
debug("Content script %o unregistered!", settings);
} finally {
finalize = null;
}
}
runningScripts.set(key, script);
if (!cleanup) { // the request has already been interrupted
finalize();
}
return;
}
function listener(r) {
if (r.requestId === requestId) {
browser.tabs.executeScript(tabId, details);
finalize();
finalize = null;
}
}
finalize = () => {
wr.onResponseStarted.removeListener(listener);
}
wr.onResponseStarted.addListener(listener, filter);
debug("Executing %o", details);
},
}
}

125
src/bg/Settings.js Normal file
View File

@ -0,0 +1,125 @@
var Settings = {
async import(data) {
// figure out whether it's just a whitelist, a legacy backup or a "Quantum" export
try {
let json = JSON.parse(data);
if (json.whitelist) {
return await this.importLegacy(json);
}
if (json.trusted) {
return await this.importPolicy(json);
}
if (json.policy) {
return await this.importSettings(json);
}
} catch (e) {
return await this.importLists(data);
}
},
async importLegacy(json) {
await include("/legacy/Legacy.js");
if (await Legacy.import(json)) {
try {
ns.policy = Legacy.migratePolicy();
await ns.savePolicy();
await Legacy.persist();
return true;
} catch (e) {
error(e, "Importing legacy settings");
Legacy.migrated = Legacy.undo;
}
}
return false;
},
async importLists(data) {
await include("/legacy/Legacy.js");
try {
let [trusted, untrusted] = Legacy.extractLists(data.split("[UNTRUSTED]"));
let policy = ns.policy;
for (let site of trusted) {
policy.set(site, policy.TRUSTED);
}
for (let site of untrusted) {
policy.set(site, policy.UNTRUSTED, true);
}
await ns.savePolicy();
} catch (e) {
error(e, "Importing white/black lists %s", data);
return false;
}
return true;
},
async importPolicy(json) {
try {
ns.policy = new Policy(json);
await ns.savePolicy();
return true;
} catch (e) {
error(e, "Importing policy %o", json);
}
},
async importSettings(json) {
try {
await this.update(json);
return true;
} catch (e) {
error(e, "Importing settings %o", json);
}
return false;
},
async update(settings) {
let {
policy,
xssUserChoices,
tabId,
unrestrictedTab,
reloadAffected,
} = settings;
if (xssUserChoices) await XSS.saveUserChoices(xssUserChoices);
if (policy) {
ns.policy = new Policy(policy);
await ns.savePolicy();
}
if (typeof unrestrictedTab === "boolean") {
ns.unrestrictedTabs[settings.unrestrictedTab ? "add" : "delete"](tabId);
}
if (reloadAffected) {
browser.tabs.reload(tabId);
}
let oldDebug = ns.local.debug;
await Promise.all(["local", "sync"].map(
storage => (settings[storage] || // changed or...
settings[storage] === null // ... needs reset to default
) && ns.save(
ns[storage] = settings[storage] || ns.defaults[storage])
));
if (ns.local.debug !== oldDebug) {
await include("/lib/log.js");
if (oldDebug) debug = () => {};
}
if (ns.sync.xss) {
XSS.start();
} else {
XSS.stop();
}
},
export() {
return JSON.stringify({
policy: ns.policy.dry(),
local: ns.local,
sync: ns.sync,
xssUserChoices: XSS.getUserChoices(),
}, null, 2);
},
}

37
src/bg/defaults.js Normal file
View File

@ -0,0 +1,37 @@
'use strict';
ns.defaults = (async () => {
let defaults = {
local: {
debug: false,
showCtxMenuItem: true,
showCountBadge: true,
showFullAddresses: false,
},
sync: {
"global": false,
"xss": true,
"clearclick": true
}
};
let defaultsClone = JSON.parse(JSON.stringify(defaults));
for (let [k, v] of Object.entries(defaults)) {
let store = await Storage.get(k, k);
if (k in store) {
Object.assign(v, store[k]);
}
v.storage = k;
}
Object.assign(ns, defaults);
// dynamic settings
if (!ns.local.uuid) {
await include("/lib/uuid.js");
ns.local.uuid = uuid();
await ns.save(ns.local);
}
return ns.defaults = defaultsClone;
})();

282
src/bg/main.js Normal file
View File

@ -0,0 +1,282 @@
var ns = (() => {
'use strict';
const popupURL = browser.extension.getURL("/ui/popup.html");
let popupFor = tabId => `${popupURL}#tab${tabId}`;
let ctxMenuId = "noscript-ctx-menu";
async function toggleCtxMenuItem(show = ns.local.showCtxMenuItem) {
if (!"contextMenus" in browser) return;
let id = ctxMenuId;
try {
await browser.contextMenus.remove(id);
} catch (e) {}
if (show) {
browser.contextMenus.create({
id,
title: "NoScript",
contexts: ["all"]
});
}
}
async function init() {
let policyData = (await Storage.get("sync", "policy")).policy;
if (policyData && policyData.DEFAULT) {
ns.policy = new Policy(policyData);
} else {
await include("/legacy/Legacy.js");
ns.policy = await Legacy.createOrMigratePolicy();
ns.savePolicy();
}
await include("/bg/defaults.js");
await ns.defaults;
await include(["/bg/RequestGuard.js", "/bg/RequestUtil.js"]);
await RequestGuard.start();
await XSS.start(); // we must start it anyway to initialize sub-objects
if (!ns.sync.xss) {
XSS.stop();
}
Commands.install();
};
var Commands = {
openPageUI() {
try {
browser.browserAction.openPopup();
return;
} catch (e) {
debug(e);
}
browser.windows.create({
url: popupURL,
width: 800,
height: 600,
type: "panel"
});
},
togglePermissions() {},
install() {
if ("command" in browser) {
// keyboard shortcuts
browser.commands.onCommand.addListener(cmd => {
if (cmd in Commands) {
Commands[cmd]();
}
});
}
if ("contextMenus" in browser) {
toggleCtxMenuItem();
browser.contextMenus.onClicked.addListener((info, tab) => {
if (info.menuItemId == ctxMenuId) {
this.openPageUI();
}
});
}
// wiring main UI
let ba = browser.browserAction;
if ("setIcon" in ba) {
//desktop
ba.setPopup({
popup: popupURL
});
} else {
// mobile
ba.onClicked.addListener(async tab => {
try {
await browser.tabs.remove(await browser.tabs.query({
url: popupURL
}));
} catch (e) {}
await browser.tabs.create({
url: popupFor(tab.id)
});
});
}
}
}
var MessageHandler = {
responders: {
async updateSettings(settings, sender) {
await Settings.update(settings);
toggleCtxMenuItem();
},
async broadcastSettings({
tabId = -1
}) {
let policy = ns.policy.dry(true);
let seen = tabId !== -1 ? await ns.collectSeen(tabId) : null;
let xssUserChoices = await XSS.getUserChoices();
browser.runtime.sendMessage({
type: "settings",
policy,
seen,
xssUserChoices,
local: ns.local,
sync: ns.sync,
unrestrictedTab: ns.unrestrictedTabs.has(tabId),
});
},
exportSettings(m, sender, sendResponse) {
sendResponse(Settings.export());
return false;
},
async importSettings({
data
}) {
return await Settings.import(data);
},
async openStandalonePopup() {
let win = await browser.windows.getLastFocused({
windowTypes: ["normal"]
});
let [tab] = (await browser.tabs.query({
lastFocusedWindow: true,
active: true
}));
if (!tab || tab.id === -1) {
log("No tab found to open the UI for");
return;
}
browser.windows.create({
url: popupFor(tab.id),
width: 800,
height: 600,
top: win.top + 48,
left: win.left + 48,
type: "panel"
});
}
},
onMessage(m, sender, sendResponse) {
let {
type
} = m;
let {
responders
} = MessageHandler;
if (type && (type = type.replace(/^NoScript\./, '')) in responders) {
return responders[type](m, sender, sendResponse);
} else {
debug("Received unkown message", m, sender);
}
return false;
},
listen() {
browser.runtime.onMessage.addListener(this.onMessage);
},
}
return {
running: false,
policy: null,
local: null,
sync: null,
unrestrictedTabs: new Set(),
isEnforced(tabId = -1) {
return this.policy.enforced && (tabId === -1 || !this.unrestrictedTabs.has(tabId));
},
async start() {
if (this.running) return;
this.running = true;
let initializing = init();
let wr = browser.webRequest;
let waitForPolicy = async r => {
try {
await initializing;
} catch (e) {
error(e);
}
}
wr.onBeforeRequest.addListener(waitForPolicy, {
urls: ["<all_urls>"]
}, ["blocking"]);
await initializing;
wr.onBeforeRequest.removeListener(waitForPolicy);
await include("/bg/Settings.js");
MessageHandler.listen();
log("STARTED");
this.devMode = (await browser.management.getSelf()).installType === "development";
if (this.local.debug) {
if (this.devMode) {
include("/test/run.js");
}
} else {
debug = () => {}; // suppress verbosity
}
},
stop() {
if (!this.running) return;
this.running = false;
RequestGuard.stop();
log("STOPPED");
},
async savePolicy() {
if (this.policy) {
await Storage.set("sync", {
policy: this.policy.dry()
});
await browser.webRequest.handlerBehaviorChanged()
}
return this.policy;
},
async save(obj) {
if (obj && obj.storage) {
let toBeSaved = {
[obj.storage]: obj
};
Storage.set(obj.storage, toBeSaved);
}
return obj;
},
async collectSeen(tabId) {
try {
let seen = Array.from(await browser.tabs.sendMessage(tabId, {
type: "collect"
}, {
frameId: 0
}));
debug("Collected seen", seen);
return seen;
} catch (e) {
// probably a page where content scripts cannot run, let's open the options instead
error(e, "Cannot collect noscript activity data");
}
return null;
},
};
})();
ns.start();

30
src/common/Entities.js Normal file
View File

@ -0,0 +1,30 @@
var Entities = {
get htmlNode() {
delete this.htmlNode;
return this.htmlNode = document.implementation.createHTMLDocument("")
.createElement("body");
},
convert: function(e) {
try {
this.htmlNode.innerHTML = e;
var child = this.htmlNode.firstChild || null;
return child && child.nodeValue || e;
} catch(ex) {
return e;
}
},
convertAll: function(s) {
return s.replace(/[\\&][^<>]+/g, function(e) { return Entities.convert(e) });
},
convertDeep: function(s) {
for (var prev = null; (s = this.convertAll(s)) !== prev || (s = unescape(s)) !== prev; prev = s);
return s;
},
neutralize: function(e, whitelist) {
var c = this.convert(e);
return (c == e) ? c : (whitelist && whitelist.test(c) ? e : e.replace(";", ","));
},
neutralizeAll: function(s, whitelist) {
return s.replace(/&[\w#-]*?;/g, function(e) { return Entities.neutralize(e, whitelist || null); });
}
};

390
src/common/Policy.js Normal file
View File

@ -0,0 +1,390 @@
var {Permissions, Policy, Sites} = (() => {
'use strict';
const SECURE_DOMAIN_PREFIX = "§:";
const SECURE_DOMAIN_RX = new RegExp(`^${SECURE_DOMAIN_PREFIX}`);
const DOMAIN_RX = new RegExp(`(?:^\\w+://|${SECURE_DOMAIN_PREFIX})?([^/]*)`, "i");
const SKIP_RX = /^(?:(?:about|chrome|resource|moz-.*):|\[System)/;
class Sites extends Map {
static secureDomainKey(domain) {
return domain.includes(":") ? domain : `${SECURE_DOMAIN_PREFIX}${domain}`;
}
static isSecureDomainKey(domain) {
return domain.startsWith(SECURE_DOMAIN_PREFIX);
}
static toggleSecureDomainKey(domain, b = !Sites.isSecureDomainKey(domain)) {
return b ? Sites.secureDomainKey(domain) : domain.replace(SECURE_DOMAIN_RX, '');
}
static isValid(site) {
return /^(?:https?:(?:\/\/)?)?([\w\u0100-\uf000][\w\u0100-\uf000.-]*)?[\w\u0100-\uf000](?::\d+)?$/.test(site);
}
static parse(site) {
let url, siteKey = "";
if (site instanceof URL) {
url = site;
} else {
try {
url = new URL(site);
} catch (e) {
siteKey = typeof site === "string" ? site : site.toString();
}
}
if (url) {
let path = url.pathname;
siteKey = url.origin;
if (path !== '/') siteKey += path;
}
return {url, siteKey};
}
static optimalKey(site) {
let {url, siteKey} = Sites.parse(site);
if (url && url.protocol === "https:") return Sites.secureDomainKey(tld.getDomain(url.hostname));
return url && url.origin || siteKey;
}
static origin(site) {
try {
return new URL(site).origin;
} catch (e) {};
return site;
}
static toExternal(url) { // domains are stored in punycode internally
let s = typeof url === "string" ? url : url && url.toString() || "";
if (s.startsWith(SECURE_DOMAIN_PREFIX)) s = s.substring(SECURE_DOMAIN_PREFIX.length);
let [,domain] = DOMAIN_RX.exec(s);
return domain.startsWith("xn--") ?
s.replace(domain, punycode.toUnicode(domain))
: s;
}
set(k, v) {
if (!k || SKIP_RX.test(k)) return this;
let [,domain] = DOMAIN_RX.exec(k);
if (/[^\u0000-\u007f]/.test(domain)) {
k = k.replace(domain, punycode.toASCII(domain));
}
return super.set(k, v);
}
match(site) {
if (site && this.size) {
if (this.has(site)) return site;
let {url, siteKey} = Sites.parse(site);
if (site !== siteKey && this.has(siteKey)) {
return siteKey;
}
if (url) {
let {origin} = url;
if (origin && origin !== "null" && origin < siteKey && this.has(origin)) {
return origin;
}
let domain = this.domainMatch(url);
if (domain) return domain;
let protocol = url.protocol;
if (this.has(protocol)) {
return protocol;
}
}
}
return null;
}
domainMatch(url) {
let {protocol, hostname} = url;
if (!hostname) return null;
let secure = protocol === "https:";
for (let domain = hostname;;) {
if (this.has(domain)) {
return domain;
}
if (secure) {
let ssDomain = Sites.secureDomainKey(domain);
if (this.has(ssDomain)) {
return ssDomain;
}
}
let dotPos = domain.indexOf(".");
if (dotPos === -1) {
break;
}
domain = domain.substring(dotPos + 1); // sub
if (!domain) {
break;
}
}
return null;
}
dry() {
let dry;
if (this.size) {
dry = Object.create(null);
for (let [key, perms] of this) {
dry[key] = perms.dry();
}
}
return dry;
}
static hydrate(dry, obj = new Sites()) {
if (dry) {
for (let [key, dryPerms] of Object.entries(dry)) {
obj.set(key, Permissions.hydrate(dryPerms));
}
}
return obj;
}
}
class Permissions {
constructor(capabilities, temp = false, contextual = null) {
this.capabilities = new Set(capabilities);
this.temp = temp;
this.contextual = contextual instanceof Sites ? contextual : new Sites(contextual);
}
dry() {
return {capabilities: [...this.capabilities], contextual: this.contextual.dry(), temp: this.temp};
}
static hydrate(dry = {}, obj = null) {
let capabilities = new Set(dry.capabilities);
let contextual = Sites.hydrate(dry.contextual);
let temp = dry.temp;
return obj ? Object.assign(obj, {capabilities, temp, contextual, _tempTwin: undefined})
: new Permissions(capabilities, temp, contextual);
}
static typed(capability, type) {
let [capName] = capability.split(":");
return `${capName}:${type}`;
}
allowing(capability) {
return this.capabilities.has(capability);
}
set(capability, enabled = true) {
if (enabled) {
this.capabilities.add(capability);
} else {
this.capabilities.delete(capability);
}
return enabled;
}
get tempTwin() {
return this._tempTwin || (this._tempTwin = new Permissions(this.capabilities, true, this.contextual));
}
}
Permissions.ALL = ["script", "object", "media", "frame", "font", "webgl", "fetch", "other"];
Permissions.IMMUTABLE = {
UNTRUSTED: {
"script": false,
"object": false,
"webgl": false,
"fetch": false,
"other": false,
},
TRUSTED: {
"script": true,
}
};
Object.freeze(Permissions.ALL);
function defaultOptions() {
return {
sites:{
trusted: `addons.mozilla.org
afx.ms ajax.aspnetcdn.com
ajax.googleapis.com bootstrapcdn.com
code.jquery.com firstdata.com firstdata.lv gfx.ms
google.com googlevideo.com gstatic.com
hotmail.com live.com live.net
maps.googleapis.com mozilla.net
netflix.com nflxext.com nflximg.com nflxvideo.net
noscript.net
outlook.com passport.com passport.net passportimages.com
paypal.com paypalobjects.com
securecode.com securesuite.net sfx.ms tinymce.cachefly.net
wlxrs.com
yahoo.com yahooapis.com
yimg.com youtube.com ytimg.com`.split(/\s+/).map(Sites.secureDomainKey),
untrusted: [],
custom: {},
},
DEFAULT: new Permissions(["frame", "fetch", "other"]),
TRUSTED: new Permissions(Permissions.ALL),
UNTRUSTED: new Permissions(),
enforced: true,
autoAllowTop: false,
};
}
function normalizePolicyOptions(dry) {
let options = Object.assign({}, dry);
for (let p of ["DEFAULT", "TRUSTED", "UNTRUSTED"]) {
options[p] = dry[p] instanceof Permissions ? dry[p] : Permissions.hydrate(dry[p]);
}
if (typeof dry.sites === "object" && !(dry.sites instanceof Sites)) {
let {trusted, untrusted, temp, custom} = dry.sites;
let sites = Sites.hydrate(custom);
for (let key of trusted) sites.set(key, options.TRUSTED);
for (let key of untrusted) sites.set(key, options.UNTRUSTED);
if (temp) {
let tempPreset = options.TRUSTED.tempTwin;
for (let key of temp) sites.set(key, tempPreset);
}
options.sites = sites;
}
enforceImmutable(options);
return options;
}
function enforceImmutable(policy) {
for (let [preset, filter] of Object.entries(Permissions.IMMUTABLE)) {
let presetCaps = policy[preset].capabilities;
for (let [cap, value] of Object.entries(filter)) {
if (value) presetCaps.add(cap);
else presetCaps.delete(cap);
}
}
}
class Policy {
constructor(options = defaultOptions()) {
Object.assign(this, normalizePolicyOptions(options));
}
static hydrate(dry, policyObj) {
return policyObj ? Object.assign(policyObj, normalizePolicyOptions(dry))
: new Policy(dry);
}
dry(includeTemp = false) {
let trusted = [],
temp = [],
untrusted = [],
custom = Object.create(null);
const {DEFAULT, TRUSTED, UNTRUSTED} = this;
for(let [key, perms] of this.sites) {
if (!includeTemp && perms.temp) {
continue;
}
switch(perms) {
case TRUSTED:
trusted.push(key);
break;
case TRUSTED.tempTwin:
temp.push(key);
break;
case UNTRUSTED:
untrusted.push(key);
break;
case DEFAULT:
break;
default:
custom[key] = perms.dry();
}
}
let sites = {
trusted,
untrusted,
custom
};
if (includeTemp) {
sites.temp = temp;
}
enforceImmutable(this);
return {
DEFAULT: DEFAULT.dry(),
TRUSTED: TRUSTED.dry(),
UNTRUSTED: UNTRUSTED.dry(),
sites,
enforced: this.enforced,
autoAllowTop: this.autoAllowTop,
};
}
static requestKey(url, type, documentUrl, includePath = false) {
url = includePath ? Sites.parse(url).siteKey : Sites.origin(url);
return `${type}@${url}<${Sites.origin(documentUrl)}`;
}
static explodeKey(requestKey) {
let [, type, url, documentUrl] = /(\w+)@([^<]+)<(.*)/.exec(requestKey);
return {url, type, documentUrl};
}
set(site, perms, cascade = false) {
let sites = this.sites;
let {url, siteKey} = Sites.parse(site);
sites.delete(siteKey);
if (perms === this.UNTRUSTED) {
cascade = true;
Sites.toggleSecureDomainKey(siteKey, false);
}
if (cascade && !url) {
for (let subMatch; (subMatch = sites.match(siteKey));) {
sites.delete(subMatch);
}
}
if (!perms || perms === this.DEFAULT) {
perms = this.DEFAULT;
} else {
sites.set(siteKey, perms);
}
return {siteKey, perms};
}
get(site, ctx = null) {
let perms, contextMatch;
let siteMatch = !(this.onlySecure && /^\w+tp:/i.test(site)) && this.sites.match(site);
if (siteMatch) {
perms = this.sites.get(siteMatch);
if (ctx) {
contextMatch = perms.contextual.match(ctx);
if (contextMatch) perms = perms.contextual.get(ctx);
}
} else {
perms = this.DEFAULT;
}
return {perms, siteMatch, contextMatch};
}
can(url, capability = "script", ctx = null) {
return !this.enforced ||
this.get(url, ctx).perms.allowing(capability);
}
get snapshot() {
return JSON.stringify(this.dry(true));
}
equals(other) {
this.snapshot === other.snapshot;
}
}
return {Permissions, Policy, Sites};
})();

24
src/common/Storage.js Normal file
View File

@ -0,0 +1,24 @@
var Storage = {
async safeOp(op, type, keys) {
try {
return await browser.storage[type][op](keys);
} catch (e) {
if (type === "sync") {
debug("Sync disabled? Falling back to local storage (%s %o)", op, keys);
} else {
error(e);
throw e;
}
}
return await browser.storage.local[op](keys);
},
async get(type, keys) {
return await this.safeOp("get", type, keys);
},
async set(type, keys) {
return await this.safeOp("set", type, keys);
}
}

29
src/common/SyntaxChecker.js Normal file
View File

@ -0,0 +1,29 @@
class SyntaxChecker {
constructor() {
this.lastError = null;
this.lastFunction = null;
this.lastScript = "";
}
check(script) {
this.lastScript = script;
try {
return !!(this.lastFunction = new Function(script));
} catch(e) {
this.lastError = e;
this.lastFunction = null;
}
return false;
}
unquote(s, q) {
// check that this is really a double or a single quoted string...
if (s.length > 1 && s.startsWith(q) && s.endsWith(q) &&
// if nothing is left if you remove all he escapes and all the stuff between quotes
s.replace(/\\./g, '').replace(/^(['"])[^\n\r]*?\1/, '') === '') {
try {
return eval(s);
} catch (e) {
}
}
return null;
}
}

45
src/common/locale.js Normal file
View File

@ -0,0 +1,45 @@
'use strict';
var _ = browser.i18n.getMessage;
var i18n = (() => {
var i18n = {
// derived from http://github.com/piroor/webextensions-lib-l10n
updateString(aString) {
return aString.replace(/__MSG_(.+?)__/g, function(aMatched) {
var key = aMatched.slice(6, -2);
return _(key);
});
},
updateDOM(rootNode = document) {
var texts = document.evaluate(
'descendant::text()[contains(self::text(), "__MSG_")]',
rootNode,
null,
XPathResult.ORDERED_NODE_SNAPSHOT_TYPE,
null
);
for (let i = 0, maxi = texts.snapshotLength; i < maxi; i++)
{
let text = texts.snapshotItem(i);
text.nodeValue = this.updateString(text.nodeValue);
}
var attributes = document.evaluate(
'descendant::*/attribute::*[contains(., "__MSG_")]',
rootNode,
null,
XPathResult.ORDERED_NODE_SNAPSHOT_TYPE,
null
);
for (let i = 0, maxi = attributes.snapshotLength; i < maxi; i++)
{
let attribute = attributes.snapshotItem(i);
debug('apply', attribute);
attribute.value = this.updateString(attribute.value);
}
}
};
document.addEventListener('DOMContentLoaded', e => i18n.updateDOM());
return i18n;
})()

150
src/content/PlaceHolder.js Normal file
View File

File diff suppressed because one or more lines are too long

71
src/content/content.css Normal file
View File

@ -0,0 +1,71 @@
a.__NoScript_PlaceHolder__ {
outline: 2px solid #048;
color: #048;
text-decoration: none;
text-align: center;
background: rgba(255,250,200, .7) no-repeat center;
background-size: 256px;
visibility: visible !important;
cursor: pointer;
opacity: 0.8;
transition: 1s all;
}
a.__NoScript_PlaceHolder__:hover {
opacity: 1;
text-decoration: underline;
background-size: 128px;
background-position: top left;
}
a.__NoScript_PlaceHolder__.closing {
transition: .4s all;
opacity: 0;
transform: scale(0, 0);
}
a.__NoScript_PlaceHolder__ > span {
display: flex !important;
flex-direction: row;
justify-content: space-around;
align-items: center;
position: relative;
padding: 0;
margin: 0;
width: 100%;
height: 100%;
}
.__NoScript_PlaceHolder__ button {
appearance: none;
-moz-appearance: none;
border: none;
position: absolute;
top: 0;
right: 0;
display: block;
color: #800;
font-size: 16px;
font-family: sans-serif;
padding: 0 4px;
margin: 0;
background: none;
transition: .2s all;
}
.__NoScript_PlaceHolder__ button:hover {
color: white;
text-shadow: -2px 0 2px red, 2px 0 2px red;
}
.__NoScript_PlaceHolder__ > span > span {
display: block;
font-size: 18px;
background: rgba(255, 250, 200, .5);
border-radius: 8px;
padding: 8px;
margin: 0;
font-family: sans-serif;
overflow-wrap: break-word;
word-break: break-all;
}

107
src/content/content.js Normal file
View File

@ -0,0 +1,107 @@
'use strict';
// debug = () => {}; // XPI_ONLY
var _ = browser.i18n.getMessage;
var canScript = true;
var embeddingDocument = false;
var seen = {
_map: new Map(),
_list: null,
record(event) {
let key = event.request.key;
if (this._map.has(key)) return;
this._map.set(key, event);
this._list = null;
},
get list() {
return this._list || (this._list = [...this._map.values()]);
}
}
var handlers = {
seen(event) {
let {allowed, policyType, request, ownFrame} = event;
if (window.top === window) {
seen.record(event);
}
if (ownFrame) {
init();
if (!allowed && PlaceHolder.canReplace(policyType)) {
request.embeddingDocument = embeddingDocument;
PlaceHolder.create(policyType, request);
}
}
},
collect(event) {
let list = seen.list;
debug("COLLECT", list);
return list;
}
};
browser.runtime.onMessage.addListener(async event => {
if (event.type in handlers) {
debug("Received message", event);
return handlers[event.type](event);
}
});
if (document.readyState !== "complete") {
let pageshown = e => {
removeEventListener("pageshow", pageshown);
init();
};
addEventListener("pageshow", pageshown);
} else init();
let notifyPage = () => {
if (document.readyState === "complete") {
browser.runtime.sendMessage({type: "pageshow", seen, canScript});
return true;
}
return false;
}
async function init() {
try {
canScript = await browser.runtime.sendMessage({type: "canScript"});
init = () => {};
debug("canScript:", canScript);
} catch (e) {
// background script not initialized yet?
setTimeout(() => init(), 100);
return;
}
if (!canScript) onScriptDisabled();
seen.record({
request: {
key: "noscript-probe",
url: document.URL,
documentUrl: document.URL,
type: window === window.top ? "main_frame" : "script",
},
allowed: canScript
}
);
debug(`Loading NoScript in document %s, scripting=%s, content type %s readyState %s`,
document.URL, canScript, document.contentType, document.readyState);
if (/application|video|audio/.test(document.contentType)) {
debug("Embedding document detected");
embeddingDocument = true;
window.addEventListener("pageshow", e => {
debug("Active content still in document %s: %o", document.url, document.querySelectorAll("embed,object,video,audio"));
}, true);
// document.write("<plaintext>");
}
notifyPage() || addEventListener("pageshow", notifyPage);
};

59
src/content/media.js Normal file
View File

@ -0,0 +1,59 @@
console.log("Media Hook", document.documentElement.innerHTML);
try {
(() => {
let unpatched = new Map();
function patch(obj, methodName, replacement) {
let methods = unpatched.get(obj) || {};
methods[methodName] = obj[methodName];
exportFunction(replacement, obj, {defineAs: methodName});
unpatched.set(obj, methods);
}
patch(window.console, "log", function(s, ...args) {
unpatched.get(window.console).log.call(`PATCHED ${s}`, ...args);
});
let urlMap = new WeakMap();
patch(window.URL, "createObjectURL", function(o, ...args) {
let url = unpatched.get(window.URL).createObjectURL.call(this, o, ...args);
if (o instanceof MediaSource) {
let urls = urlMap.get(o);
if (!urls) urlMap.set(o, urls = new Set());
urls.add(url);
}
return url;
});
patch(window.MediaSource.prototype, "addSourceBuffer", function(mime, ...args) {
let ms = this;
let urls = urlMap.get(ms);
let me = Array.from(document.querySelectorAll("video,audio"))
.find(e => e.srcObject === ms || urls && urls.has(e.src));
let exposedMime = `${mime} (MSE)`;
let request = {
id: "noscript-media",
type: "media",
url: document.URL,
documentUrl: document.URL,
embeddingDocument: true,
};
seen.record({policyType: "media", request, allowed: false});
notifyPage();
if (window.mediaBlocker) {
try {
let ph = PlaceHolder.create("media", request);
ph.replace(me);
PlaceHolder.listen();
} catch (e) {
error(e);
}
throw new Error(`${exposedMime} blocked by NoScript`);
}
return unpatched.get(window.MediaSource.prototype).addSourceBuffer.call(ms, mime, ...args);
});
})();
} catch (e) {
error(e, "Cannot patch MediaSource");
}

74
src/content/onScriptDisabled.js Normal file
View File

@ -0,0 +1,74 @@
function onScriptDisabled() {
for (let noscript of document.querySelectorAll("noscript")) {
// force show NOSCRIPT elements content
let replacement = document.createElement("div");
replacement.innerHTML = noscript.innerHTML;
noscript.parentNode.replaceChild(replacement, noscript);
// emulate meta-refresh
let meta = replacement.querySelector('meta[http-equiv="refresh"]');
if (meta) {
let content = meta.getAttribute("content");
if (content) {
let [secs, url] = content.split(/\s*;\s*url\s*=\s*/i);
if (url) {
try {
let urlObj = new URL(url);
if (!/^https?:/.test(urlObj.protocol)) {
continue;
}
} catch (e) {
}
window.setTimeout(() => location.href = url, (parseInt(secs) || 0) * 1000);
}
}
}
}
{
let eraser = {
tapped: null,
delKey: false,
};
addEventListener("pagehide", ev => {
eraser.tapped = null;
eraser.delKey = false;
}, false);
addEventListener("keyup", ev => {
let el = eraser.tapped;
if (el && ev.keyCode === 46) {
eraser.tapped = null;
eraser.delKey = true;
let doc = el.ownerDocument;
let w = doc.defaultView;
if (w.getSelection().isCollapsed) {
let root = doc.body || doc.documentElement;
let posRx = /^(?:absolute|fixed)$/;
do {
if (posRx.test(w.getComputedStyle(el, '').position)) {
(eraser.tapped = el.parentNode).removeChild(el);
break;
}
} while ((el = el.parentNode) && el != root);
}
}
}, true);
addEventListener("mousedown", ev => {
if (ev.button === 0) {
eraser.tapped = ev.target;
eraser.delKey = false;
}
}, true);
addEventListener("mouseup", ev => {
if (eraser.delKey) {
eraser.delKey = false;
ev.preventDefault();
ev.stopPropagation();
}
eraser.tapped = null;
}, true);
}
}

31
src/content/webglHook.js Normal file
View File

@ -0,0 +1,31 @@
console.log("WebGL Hook", document.documentElement.innerHTML);
try {
let proto = HTMLCanvasElement.prototype;
let getContext = proto.getContext;
exportFunction(function(type, ...rest) {
if (type && type.toLowerCase().includes("webgl")) {
let request = {
id: "noscript-webgl",
type: "webgl",
url: document.URL,
documentUrl: document.URL,
embeddingDocument: true,
};
seen.record({policyType: "webgl", request, allowed: false});
try {
let ph = PlaceHolder.create("webgl", request);
ph.replace(this);
PlaceHolder.listen();
} catch (e) {
error(e);
}
notifyPage();
return {};
}
return getContext.call(this, type, ...rest);
}, proto, {defineAs: "getContext"});
} catch (e) {
console.error(e);
}
null;

BIN
src/img/error64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
src/img/icon256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
src/img/icon48.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
src/img/icon96.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
src/img/noscript-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
src/img/ui-black64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.2 KiB

BIN
src/img/ui-clock64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.3 KiB

BIN
src/img/ui-close64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
src/img/ui-custom64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
src/img/ui-global-no64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

BIN
src/img/ui-global64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.5 KiB

BIN
src/img/ui-http64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
src/img/ui-https64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

BIN
src/img/ui-maybe64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
src/img/ui-no64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.9 KiB

BIN
src/img/ui-part64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.2 KiB

BIN
src/img/ui-reload64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
src/img/ui-revoke-temp64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.2 KiB

BIN
src/img/ui-sub64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

BIN
src/img/ui-tab-no64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

BIN
src/img/ui-tab64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

BIN
src/img/ui-temp-all64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB

BIN
src/img/ui-temp64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

BIN
src/img/ui-yes64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB

BIN
src/img/warning64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 KiB

147
src/legacy/Legacy.js Normal file
View File

@ -0,0 +1,147 @@
'use strict';
var Legacy = {
async init() {
let migrated = (await browser.storage.local.get("legacyBackup")).legacyBackup;
let real = await this.import(migrated);
this.init = async () => real;
return real;
},
async import(migrated) {
if (this.migrated) this.undo = this.migrated;
this.migrated = (migrated && migrated.prefs) ? migrated : {prefs: {}};
await include("/legacy/defaults.js");
return 'whitelist' in this.migrated; // "real" migration with custom policy
},
async persist() {
await browser.storage.local.set({legacyBackup: this.migrated});
},
getPref(name, def) {
return name in this.migrated.prefs ? this.migrated.prefs[name] : def;
},
getRxPref(name, parseRx = Legacy.RX.multi, flags, def) {
let source = this.getPref(name, def);
if (source instanceof RegExp) return source;
try {
return parseRx(source, flags);
} catch (e) {
error(e, "Parsing RegExp preference %s, falling back to %s", name, def);
if (def) {
if (def instanceof RegExp) {
return def;
}
try {
return parseRx(def, flags);
} catch(e) {
error(e);
}
}
}
return null;
},
async createOrMigratePolicy() {
try {
if (await this.init()) {
return this.migratePolicy();
}
} catch (e) {
error(e);
}
return new Policy();
},
extractLists(lists) {
return lists.map(listString => listString.split(/\s+/))
.map(sites => sites.filter(s => !(s.includes(":") &&
sites.includes(s.replace(/.*:\/*(?=\w)/g, ""))
)));
},
migratePolicy() {
// here we normalize both NS whitelist and blacklist, getting finally rid of
// the legacy of CAPS mandating protocols for top-level domains
let [trusted, untrusted] = this.extractLists(
[this.migrated.whitelist, this.getPref("untrusted", "")]);
// securify default whitelist domain items
if (this.getPref("httpsDefWhitelist")) {
this.getPref("default", "").
split(/\s+/).
filter(s => !s.includes(":")).
forEach(s => {
let idx = trusted.indexOf(s);
if (idx !== -1) {
trusted[idx] = Sites.secureDomainKey(s);
}
});
}
let DEFAULT = new Permissions(["other"]);
let {capabilities} = DEFAULT;
// let's semplify object permissions now that almost everything is
// either blacklisted or C2P by the browser
if (!["Java", "Flash", "Silverlight", "Plugins"]
.find(type => this.getPref(`forbid${type}`))) {
capabilities.add("object");
}
let prefMap = {
"Fonts": "font",
"Frames": "frame",
"IFrames": "frame",
"Media": "media",
"WebGL": "webgl",
};
for (let [legacy, current] of Object.entries(prefMap)) {
if (!this.getPref(`forbid${legacy}`, true)) capabilities.add(current);
}
let TRUSTED = new Permissions(new Set(this.getPref("contentBlocker") ? capabilities : Permissions.ALL));
TRUSTED.capabilities.add("script").add("fetch");
let UNTRUSTED = new Permissions();
if (this.getPref("global")) {
if (!this.getPref("alwaysBlockUntrustedContent")) {
UNTRUSTED.capabilities = new Set(capabilities);
}
DEFAULT = new Permissions(TRUSTED.capabilities);
}
return new Policy({
sites: {untrusted, trusted, custom: {}},
DEFAULT,
TRUSTED,
UNTRUSTED,
enforced: true,
// TODO: enforce these before ESR 59 gets released
cascadePermissions: this.getPref("cascadePermissions"),
restrictSubDocScripting: this.getPref("restrictSubDocScripting"),
onlySecure: this.getPref("allowHttpsOnly")
});
},
RX: {
simple: function(s, flags) {
var anchor = /\^/.test(flags);
return new RegExp(anchor ? rxParsers.anchor(s) : s,
anchor ? flags.replace(/\^/g, '') : flags);
},
anchor: function(s) {
return /^\^|\$$/.test(s) ? s : "^" + s + "$";
},
multi: function(s, flags) {
var anchor = /\^/.test(flags);
var lines = s.split(anchor ? /\s+/ : /[\n\r]+/).filter(l => /\S/.test(l));
return new RegExp((anchor ? lines.map(rxParsers.anchor) : lines).join('|'),
anchor ? flags.replace(/\^/g, '') : flags);
}
}
}
Legacy.init();

365
src/legacy/defaults.js Normal file
View File

@ -0,0 +1,365 @@
'use strict';
Legacy.migrated.prefs = Object.assign(
{
"autoReload": true,
"autoReload.global": true,
"autoReload.allTabs": true,
"autoReload.allTabsOnPageAction": true,
"autoReload.allTabsOnGlobal": false,
"autoReload.onMultiContent": false,
"autoReload.useHistory": false,
"autoReload.useHistory.exceptCurrent": true,
"autoReload.embedders": 1,
"ctxMenu": true,
"statusIcon": true,
"sound": false,
"sound.oncePerSite": true,
"notify": true,
"notify.bottom": true,
"showAddress": false,
"showDomain": false,
"showTemp": true,
"showPermanent": true,
"showDistrust": true,
"showUntrusted": true,
"showBaseDomain": true,
"showAbout": true,
"showGlobal": true,
"showTempToPerm": true,
"showRevokeTemp": true,
"showBlockedObjects": true,
"showExternalFilters": true,
"showTempAllowPage": true,
"showAllowPage": true,
"mandatory": "[System+Principal] about: about:addons about:blocked about:certerror about:config about:crashes about:feeds about:home about:memory about:neterror about:plugins about:preferences about:privatebrowsing about:sessionrestore about:srcdoc about:support about:tabcrashed blob: chrome: mediasource: moz-extension: moz-safe-about: resource:",
"default": "about:blank about:pocket-saved about:pocket-signup addons.mozilla.org afx.ms ajax.aspnetcdn.com ajax.googleapis.com bootstrapcdn.com code.jquery.com firstdata.com firstdata.lv gfx.ms google.com googlevideo.com gstatic.com hotmail.com live.com live.net maps.googleapis.com mozilla.net netflix.com nflxext.com nflximg.com nflxvideo.net noscript.net outlook.com passport.com passport.net passportimages.com paypal.com paypalobjects.com securecode.com securesuite.net sfx.ms tinymce.cachefly.net wlxrs.com yahoo.com yahooapis.com yimg.com youtube.com ytimg.com",
"allowWhitelistUpdates": true,
"volatilePrivatePermissions": false,
"showVolatilePrivatePermissionsToggle": true,
"eraseFloatingElements": true,
"bgThumbs.allowed": false,
"bgThumbs.disableJS": true,
"forbidJava": true,
"forbidFlash": true,
"forbidSilverlight": true,
"forbidPlugins": true,
"forbidMedia": true,
"forbidFonts": true,
"forbidWebGL": false,
"forbidActiveContentParentTrustCheck": true,
"forbidIFrames": false,
"forbidIFramesContext": 3,
"forbidIFramesParentTrustCheck": true,
"forbidFrames": false,
"forbidMixedFrames": true,
"sound.block": "chrome://noscript/skin/block.wav",
"allowClipboard": false,
"allowLocalLinks": false,
"allowLocalLinks.from": "",
"allowLocalLinks.to": "",
"allowCachingObjects": true,
"showPlaceholder": true,
"global": false,
"globalHttpsWhitelist": false,
"confirmUnblock": true,
"confirmUnsafeReload": true,
"statusLabel": false,
"forbidBookmarklets": false,
"allowBookmarkletImports": true,
"allowBookmarks": false,
"notify.hideDelay": 5,
"notify.hidePermanent": true,
"notify.hide": false,
"truncateTitleLen": 255,
"truncateTitle": true,
"fixLinks": true,
"noping": true,
"consoleDump": 0,
"excaps": true,
"nselForce": true,
"nselNever": false,
"nselNoMeta": true,
"autoAllow": 0,
"toolbarToggle": 3,
"allowPageLevel": 0,
"forbidImpliesUntrust": false,
"keys.toggle": "ctrl shift VK_BACK_SLASH.|",
"keys.ui": "ctrl shift S",
"keys.tempAllowPage": "",
"keys.revokeTemp": "",
"menuAccelerators": false,
"forbidMetaRefresh": false,
"forbidMetaRefresh.remember": false,
"forbidMetaRefresh.notify": true,
"forbidMetaRefresh.exceptions": "^https?://(?:www|encrypted)\\.google\\.(?:[a-z]{2,3}|[a-z]{2}\\.[a-z]{2,3})/ t.co",
"contentBlocker": false,
"toggle.temp": true,
"firstRunRedirection": true,
"xss.notify": true,
"xss.notify.subframes": true,
"xss.trustReloads": false,
"xss.trustData": true,
"xss.trustExternal": true,
"xss.trustTemp": true,
"xss.checkInclusions": true,
"xss.checkInclusions.exceptions": "intensedebate.com/idc/js/",
"xss.checkCharset.exceptions": "",
"filterXPost": true,
"filterXGet": true,
"filterXGetRx": "<+(?=[^<>=\\d. /(-])|[\\\\\"\\x00-\\x07\\x09\\x0B\\x0C\\x0E-\\x1F\\x7F]",
"filterXGetUserRx": "",
"filterXExceptions": "^https?://([a-z]+)\\.google\\.(?:[a-z]{1,3}\\.)?[a-z]+/(?:search|custom|\\1)\\?\n^https?://([a-z]*)\\.?search\\.yahoo\\.com/search(?:\\?|/\\1\\b)\n^https?://[a-z]+\\.wikipedia\\.org/wiki/[^\"<>?%]+$\n^https?://translate\\.google\\.com/translate_t[^\"'<>?%]+$\n^https://secure\\.wikimedia\\.org/wikipedia/[a-z]+/wiki/[^\"<>\\?%]+$",
"filterXExceptions.blogspot": true,
"filterXExceptions.darla_name": true,
"filterXExceptions.deviantart": true,
"filterXExceptions.fbconnect": true,
"filterXExceptions.ebay": true,
"filterXExceptions.ggadgets": true,
"filterXExceptions.letitbit": true,
"filterXExceptions.livejournal": true,
"filterXExceptions.lycosmail": true,
"filterXExceptions.medicare": true,
"filterXException.photobucket": true,
"filterXExceptions.printfriendly": true,
"filterXExceptions.readability": true,
"filterXExceptions.yahoo": true,
"filterXExceptions.visa": true,
"filterXExceptions.verizon": true,
"filterXExceptions.zendesk": true,
"filterXExceptions.yt_comments": true,
"protectWindowNameXAssignment": true,
"injectionCheck": 2,
"injectionCheckPost": true,
"injectionCheckHTML": true,
"globalwarning": true,
"jsredirectIgnore": false,
"jsredirectFollow": false,
"jsredirectForceShow": false,
"removeSMILKeySniffer": true,
"utf7filter": true,
"safeJSRx": "(?:window\\.)?close\\s*\\(\\)",
"badInstall": false,
"fixURI": true,
"fixURI.exclude": "",
"urivalid.aim": "\\w[^\\\\?&\\x00-\\x1f#]*(?:\\?[^\\\\\\x00-\\x1f#]*(?:#[\\w.@+-]{2,32})?)?",
"urivalid.mailto": "[^\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]*",
"forbidExtProtSubdocs": true,
"forbidXBL": 1,
"forbidXHR": 1,
"whitelistRegExp": "",
"tempGlobal": false,
"lockPrivilegedUI": false,
"collapseObject": false,
"showUntrustedPlaceholder": true,
"jsHack": "",
"jsHackRegExp": "",
"canonicalFQDN": false,
"allowedMimeRegExp": "",
"alwaysBlockUntrustedContent": true,
"consoleLog": false,
"dropXssProtection": true,
"flashPatch": true,
"silverlightPatch": true,
"allowURLBarJS": false,
"allowURLBarImports": false,
"hideOnUnloadRegExp": "video/.*",
"untrusted": "",
"untrustedGranularity": 3,
"requireReloadRegExp": "application/x-vnd\\.moveplayer\\b.*",
"restrictSubdocScripting": false,
"cascadePermissions": false,
"secureCookies": false,
"secureCookiesExceptions": "",
"secureCookiesForced": "",
"secureCookies.recycle": false,
"secureCookies.perTab": false,
"httpsForced": "",
"httpsForcedBuiltIn": "www.youtube.com",
"httpsDefWhitelist": true,
"allowHttpsOnly": 0,
"https.showInConsole": true,
"clearClick": 3,
"clearClick.plugins": true,
"clearClick.prompt": true,
"clearClick.debug": false,
"clearClick.exceptions": ".mail.yahoo.com https://mail.google.com/ *.ebay.com *.photobucket.com .youtube.com",
"clearClick.subexceptions": "^http://bit(?:ly\\.com|\\.ly)/a/sidebar\\?u= http://*.uservoice.com/*/popin.html?* http://w.sharethis.com/share3x/lightbox.html?* http://disqus.com/embed/* *.disqus.com/*/reply.html* http://www.feedly.com/mini abine:*",
"clearClick.rapidFireCheck": true,
"clearClick.threshold": 18,
"emulateFrameBreak": true,
"stickyUI.liveReload": false,
"stickyUI": true,
"stickyUI.onKeyboard": true,
"hoverUI": true,
"hoverUI.delayEnter": 250,
"hoverUI.delayStop": 50,
"hoverUI.delayExit1": 250,
"hoverUI.delayExit2": 300,
"hoverUI.excludeToggling": true,
"ignorePorts": true,
"cp.last": true,
"sanitizePaste": true,
"surrogate.enabled": true,
"surrogate.debug": false,
"surrogate.sandbox": true,
"surrogate.2mdn.replacement": "if('Proxy' in window){let _f=function(){}; google=$S(); Object.defineProperty(google,'__noSuchMethod__',{configurable:true,enumerable:false,value:_f});let ima={};ima.AdsManagerLoadedEvent=ima.AdErrorEvent={Type:new Proxy({},{get:function(){return 0}}),};ima.settings=new Proxy({},{get:function(){return _f}});ima.AdsLoader=ima.AdsRequest=ima.AdDisplayContainer=function(){return new Proxy({},{get:function(){return _f}});};google.ima=ima;}",
"surrogate.2mdn.sources": ".2mdn.net",
"surrogate.360Haven.sources": "@www.360haven.com",
"surrogate.360Haven.replacement": "Object.defineProperty(window,'adblock',{get:function() false,set: function() false});Object.defineProperty(window,'google_ad_client',{get: function () { return $S({__noSuchMethod__: function() this})}});Object.defineProperty(window.HTMLBodyElement.prototype,'innerHTML',{get:function() ''});",
"surrogate.adagionet.sources": ".adagionet.com",
"surrogate.adagionet.replacement": "adagioWriteTag=adagioWriteBanner=function(){}",
"surrogate.addthis.sources": "^https?://(?:[^/:]+\\.)?addthis\\.com/.*addthis_widget\\.js",
"surrogate.addthis.replacement": "addthis=(function(){var f=$S(arguments.callee);return f.__noSuchMethod__=f.data=f.bar=f.dynamic=f.login=f.ad=f.util=f.user=f.session=f})();",
"surrogate.adfly.sources": "!@^https?://adf.ly/\\w+/?$",
"surrogate.adfly.replacement": "for(var a=/ysmm = '(.*?)';/gi.exec(document.documentElement.innerHTML)[1],b='',c='',d=0;d<a.length;d++)0==d%2?b+=a.charAt(d):c=a.charAt(d)+c;window.location=atob(b+c).substring(2)",
"surrogate.ampush.sources": ".ampush.io",
"surrogate.ampush.replacement": "window.ampt=$S({__noSuchMethod__:function(){}});",
"surrogate.digg.sources": "!@digg.com/newsbar/*",
"surrogate.digg.replacement": "window.location.href=document.querySelector('link[rel=canonical]').href",
"surrogate.dimtus.sources": "!@^http://(?:dimtus|imageteam)\\.(?:com|org)/img-",
"surrogate.dimtus.replacement": "document.querySelector('.overlay_ad').style.display='none'",
"surrogate.ga.sources": "*.google-analytics.com",
"surrogate.ga.replacement": "(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq},_getTrackerByName:function(){return {_visitCode:function(){return 0}}}});window.cxApi=$S({__noSuchMethod__:_0,getChosenVariation:function(x){return typeof x == 'number' ? x : x[0]},chooseVariation:function(x){return 0}})})()",
"surrogate.glinks.replacement": "['focus','mouseover','mousedown','click'].forEach(function(et){addEventListener(et,function(e){var a=e.target,href=a.href&&a.getAttribute&&a.getAttribute('href');if(href&&/^(?:http|\\/url)/.test(href)&&!a._href){a._href=a.href=a.href.replace(/.*\\/url.*[?&](?:url|q)=(http[^&]+).*/,function(a,b)decodeURIComponent(b));do{if(/\\brwt\\(/.test(a.getAttribute('onmousedown')))a.removeAttribute('onmousedown')}while((a=a.parentElement))}},true)})",
"surrogate.glinks.sources": "!@^https?://[^/]+google\\..*/search",
"surrogate.googletag.replacement": "if(typeof googletag==='undefined'){googletag={slots:{},cmd:$S({__noSuchMethod__:function(){return $S(this)},push:function(f){return f()}})};}googletag.defineSlot=function(){return $S({__noSuchMethod__:function(){return $S(this)}})};let _gt=googletag;googletag=new Proxy(_gt,{get:function(s,w,e){return w in s?s[w]:function(){return $S({__noSuchMethod__:function(){return googletag;}})};}});let _renderedAds=new Proxy({},{get:function(a,b){return b in a?a[b]:{size:[729,90]};}});let _adsRenderedInfo=new Proxy({get:function(n){return _renderedAds[n];}},{get:function(x,c){return c in x?x[c]:function(){};},set:function(x,c,v){}});Object.defineProperty(googletag,'adsRenderedInfo',{configurable:true,enumerable:true,set:function(){},get:function(){return _adsRenderedInfo;}});",
"surrogate.googletag.sources": ".googletagservices.com",
"surrogate.gravatar.sources": ".gravatar.com",
"surrogate.gravatar.replacement": "Gravatar=$S({my_hash:'', profile_cb:function(){}, init:function(){}, __noSuchMethod__:function(){}})",
"surrogate.microsoftSupport.replacement": "let c=document.getElementById('contentArea');if(c)c.style.display=''",
"surrogate.microsoftSupport.sources": "!support.microsoft.com",
"surrogate.modpagespeed.replacement": "let s=document.querySelector('noscript>meta[http-equiv=refresh]+style');if(s)s.parentNode.removeChild(s)",
"surrogate.modpagespeed.sources": "!@^https?:",
"surrogate.qs.sources": "*.quantserve.com",
"surrogate.qs.replacement": "window.quantserve=function(){}",
"surrogate.uniblue.sources": "!@.uniblue.com .liutilities.com",
"surrogate.uniblue.replacement": "Array.forEach(document.links,function(l){if(/^https:\\/\\/store\\./.test(l.href)){l.setAttribute('href',l.href.replace(/.*?:/, ''));l.parentNode.replaceChild(l,l)}})",
"surrogate.yieldman.sources": "*.yieldmanager.com",
"surrogate.yieldman.replacement": "rmAddKey=rmAddCustomKey=rmShowAd=rmShowPop=rmShowInterstitial=rmGetQueryParameters=rmGetSize=rmGetWindowUrl=rmGetPubRedirect=rmGetClickUrl=rmReplace=rmTrim=rmUrlEncode=rmCanShowPop=rmCookieExists=rmWritePopFrequencyCookie=rmWritePopExpirationCookie=flashIntalledCookieExists=writeFlashInstalledCookie=flashDetection=rmGetCookie=function(){}",
"surrogate.popunder.sources": "@^http:\\/\\/[\\w\\-\\.]+\\.[a-z]+ wyciwyg:",
"surrogate.popunder.replacement": "(function(){var unloading=false;addEventListener('pagehide',function(){unloading=true;setTimeout(function(){unloading=false},100)},true);var cookie=document.__proto__.__lookupGetter__('cookie');document.__proto__.__defineGetter__('cookie',function() {if(unloading)return cookie.apply(this);var c='; popunder=yes; popundr=yes; setover18=1';return(cookie.apply(this).replace(c,'')+c).replace(/^; /, '')});var fid='_FID_'+(Date.now().toString(16));var open=window.__proto__.open;window.__proto__.open=function(url,target,features){try{if(!(/^_(?:top|parent|self)$/i.test(target)||target in frames)){var suspSrc,suspCall,ff=[],ss=new Error().stack.split('\\n').length;if(/popunde?r/i.test(target))return ko();for(var f,ev,aa=arguments;stackSize-->2&&aa.callee&&(f=aa.callee.caller)&&ff.indexOf(f)<0;ff.push(f)){aa=f.arguments;if(!aa)break;ev=aa[0];suspCall=f.name=='doPopUnder';if(!suspSrc)suspSrc=suspCall||/(?:\\bpopunde?r|\\bfocus\\b.*\\bblur|\\bblur\\b.*\\bfocus|[pP]uShown)\\b/.test(f.toSource());if(suspCall||ev&&typeof ev=='object'&&('type' in ev)&&ev.type=='click'&&ev.button===0&&(ev.currentTarget===document||('tagName' in ev.currentTarget)&&'body'==ev.currentTarget.tagName.toLowerCase())&&!(('href' in ev.target)&&ev.target.href&&(ev.target.href.indexOf(url)===0||url.indexOf(ev.target.href)===0))){if(suspSrc)return ko();}}}}catch(e){}return open.apply(null, arguments);function ko(){var fr=document.getElementById(fid)||document.body.appendChild(document.createElement('iframe'));fr.id=fid;fr.src='data:text/html,';fr.style.display='none';var w=fr.contentWindow;w.blur=function(){};return w;}}})()",
"surrogate.popunder.exceptions": ".meebo.com",
"surrogate.imdb.sources": "@*.imdb.com/video/*",
"surrogate.imdb.replacement": "addEventListener('DOMContentLoaded',function(ev){ad_utils.render_ad=function(w){w.location=w.location.href.replace(/.*\\bTRAILER=([^&]+).*/,'$1')}},true)",
"surrogate.nscookie.sources": "@*.facebook.com",
"surrogate.nscookie.replacement": "document.cookie='noscript=; domain=.facebook.com; path=/; expires=Thu, 01-Jan-1970 00:00:01 GMT;'",
"surrogate.imagebam.replacement": "(function(){if(\"over18\" in window){var _do=doOpen;doOpen=function(){};over18();doOpen=_do}else{var e=document.getElementById(Array.slice(document.getElementsByTagName(\"script\")).filter(function(s){return !!s.innerHTML})[0].innerHTML.match(/over18[\\s\\S]*?'([^']+)/)[1]);e.style.display='none'}})()",
"surrogate.imagebam.sources": "!@*.imagebam.com",
"surrogate.imagehaven.replacement": "['agreeCont','TransparentBlack'].forEach(function(id){var o=document.getElementById(id);if(o)o.style.display='none'})",
"surrogate.imagehaven.sources": "!@*.imagehaven.net",
"surrogate.imgreserve.sources": "!imgreserve.com",
"surrogate.imgreserve.replacement": "let b=document.querySelector('input[value=\"YES\"]');if(b)b.addEventListener('click',function(){document.cookie='AgeVerification=1';location.href=location},true)",
"surrogate.interstitialBox.replacement": "__defineSetter__('interstitialBox',function(){});__defineGetter__('interstitialBox',function(){return{}})",
"surrogate.interstitialBox.sources": "@*.imagevenue.com",
"surrogate.invodo.sources": ".invodo.com",
"surrogate.invodo.replacement": "Invodo=$S({__noSuchMethod__:function(){}})",
"surrogate.googleThumbs.replacement": "(function(){var ss=document.getElementsByTagName('script');var s,t,m,id,i;for(var j=ss.length;j-->0;)if(((s=ss[j])&&(t=s.firstChild&&s.firstChild.nodeValue)&&(id=t.match(/\\w+thumb\\d+/))&&(m=t.match(/['\"](data:[^'\"]+)/)))&&(i=document.getElementById(id)))i.src=m[1].replace(/\\\\(u[0-9a-f]{4}|x[0-9a-f]{2})/ig,function(a,b){return String.fromCharCode(parseInt(b.substring(1), 16))})})()",
"surrogate.googleThumbs.sources": "!^https?://www\\.google\\.[a-z]+/search",
"surrogate.amo.replacement": "addEventListener('click',function(e){if(e.button)return;var a=e.target.parentNode;var hash=a.getAttribute('data-hash');if(hash){var b=a.parentNode.parentNode;InstallTrigger.install({x:{URL:a.href,IconURL:b.getAttribute('data-icon'),Hash:hash,toString:function(){return a.href}}});e.preventDefault()}},false)",
"surrogate.amo.sources": "!https://addons.mozilla.org/",
"surrogate.ab_adsense.sources": "pagead2.googlesyndication.com",
"surrogate.ab_adsense.replacement": "gaGlobal={}",
"surrogate.ab_adscale.sources": "js.adscale.de",
"surrogate.ab_adscale.replacement": "adscale={}",
"surrogate.ab_adtiger.sources": "^http://ads\\.adtiger\\.",
"surrogate.ab_adtiger.replacement": "adspirit_pid={}",
"surrogate.ab_bidvertiser.sources": "^http://bdv\\.bidvert",
"surrogate.ab_bidvertiser.replacement": "report_error=function(){}",
"surrogate.ab_binlayer.sources": "^http://view\\.binlay(?:er)\\.",
"surrogate.ab_binlayer.replacement": "blLayer={}",
"surrogate.ab_mirago.sources": "^http://intext\\.mirago\\.",
"surrogate.ab_mirago.replacement": "HLSysBannerUrl=''",
"surrogate.ab_mirando.sources": "^http://get\\.mirando\\.",
"surrogate.ab_mirando.replacement": "Mirando={}",
"surrogate.facebook_connect.sources": "connect.facebook.net",
"surrogate.facebook_connect.replacement": "FB=(function(){var f=$S(arguments.callee);return f.__noSuchMethod__=f.Event=f.XFBML=f;})();",
"surrogate.revsci.sources": "js.revsci.net",
"surrogate.revsci.replacement": "rsinetsegs=[];DM_addEncToLoc=DM_tag=function(){};",
"surrogate.adriver.sources": "ad.adriver.ru/cgi-bin/erle.cgi",
"surrogate.adriver.replacement": "if(top!==self&&top.location.href===location.href)setTimeout('try{document.close();}catch(e){}',100)",
"surrogate.twitter.sources": "platform.twitter.com",
"surrogate.twitter.replacement": "twttr=(function(){var f=$S(arguments.callee); var ro = f.__noSuchMethod__=f.events=f.anywhere=f; ro.widgets=$S({__noSuchMethod__:function(){}}); return ro})();",
"surrogate.plusone.sources": "apis.google.com/js/plusone.js",
"surrogate.plusone.replacement": "gapi=(function(){var f=$S(arguments.callee);return f.__noSuchMethod__=f.plusone=f;})();",
"surrogate.disqus-theme.sources": ">.disqus.com/*/build/themes/t_c4ca4238a0b923820dcc509a6f75849b.js*",
"surrogate.disqus-theme.replacement": "DISQUS.dtpl.actions.register('comments.reply.new.onLoadingStart', function() { DISQUS.dtpl.actions.remove('comments.reply.new.onLoadingStart'); DISQUS.dtpl.actions.remove('comments.reply.new.onLoadingEnd');});",
"surrogate.skimlinks.sources": ".skimlinks.com/api/",
"surrogate.skimlinks.replacement": "window.skimlinks=function(){}",
"surrogate.picbucks.sources": "!*.picbucks.com http://www.imagebax.com/show.php/*",
"surrogate.picbucks.replacement": "Array.forEach(document.getElementsByTagName('script'), function(s){let m = s.textContent.match(/(?:Lbjs\\.TargetUrl\\s*=\\s*|Array\\s*\\().*(\\bhttp[^'\"]*)/); if (m) { location.href = m[1]; throw 'break'; }})",
"surrogate.imagebunk.sources": "!http://imagebunk.com/image/*",
"surrogate.imagebunk.replacement": "document.body.insertBefore(document.getElementById('img_obj'), document.body.firstChild)",
"surrogate.picsee.sources": "!^https?://picsee\\.net/2\\d.*\\.html",
"surrogate.picsee.replacement": "location.replace(location.href.replace(/(\\/2\\d{3}[^\\/]*)(.*)\\.html/, '/upload$1/$2'));",
"surrogate.owasp_antiClickjack.sources": "!^https?://",
"surrogate.owasp_antiClickjack.replacement": "if(window.top===window&&document.body.offsetWidth===0)['body','documentElement'].forEach(function(e){document[e].style.setProperty('display','unset','important')})",
"surrogate.gigya.replacement": "gigya=$S({__noSuchMethod__:function(){}, isGigya:true, __initialized:true});gigya.socialize=$S({__noSuchMethod__:function(){}, addEventHandlers:function(){}});gigya.accounts=$S({__noSuchMethod__:function(){}})",
"surrogate.gigya.sources": ".gigya.com",
"surrogate.stripe.replacement": "Stripe=$S({__noSuchMethod__:function(){}})",
"surrogate.stripe.sources": "js.stripe.com",
"surrogate.wp.sources": "!^.*\\/20\\d{2}\\/\\d{2}\\/\\d{2}\\/",
"surrogate.wp.replacement": "let s=document.createElement('style');s.textContent='.site{opacity: 1 !important}';document.documentElement.appendChild(s)",
"fakeScriptLoadEvents.enabled": true,
"fakeScriptLoadEvents.onlyRequireJS": true,
"fakeScriptLoadEvents.exceptions": "",
"fakeScriptLoadEvents.docExceptions": "",
"placeholderMinSize": 32,
"placeholderLongTip": true,
"placeholderCollapseOnClose": false,
"compat.evernote": true,
"compat.gnotes": true,
"forbidXSLT": true,
"oldStylePartial": false,
"proxiedDNS": 0,
"placesPrefs": false,
"ABE.enabled": true,
"ABE.siteEnabled": false,
"ABE.allowRulesetRedir": false,
"ABE.legacyPrompt": false,
"ABE.disabledRulesetNames": "",
"ABE.skipBrowserRequests": true,
"ABE.notify": true,
"ABE.notify.namedLoopback": false,
"ABE.wanIpAsLocal": true,
"ABE.wanIpCheckURL": "https://secure.informaction.com/ipecho/",
"ABE.localExtras": "",
"asyncNetworking": true,
"inclusionTypeChecking": true,
"inclusionTypeChecking.exceptions": "https://scache.vzw.com/ http://cache.vzw.com .sony-europe.com .amazonaws.com .hp-ww.com .yandex.st cdn.directvid.com/*.jsx",
"inclusionTypeChecking.checkDynamic": false,
"nosniff": true,
"recentlyBlockedCount": 10,
"showRecentlyBlocked": true,
"recentlyBlockedLevel": 0,
"frameOptions.enabled": true,
"frameOptions.parentWhitelist": "https://mail.google.com/*",
"logDNS": false,
"subscription.lastCheck": 0,
"subscription.checkInterval": 24,
"subscription.trustedURL": "",
"subscription.untrustedURL": "",
"siteInfoProvider": "https://noscript.net/about/%utf8%;%ace%",
"alwaysShowObjectSources": false,
"ef.enabled": false,
"showBlankSources": false,
"preset": "medium",
"forbidBGRefresh": 1,
"forbidBGRefresh.exceptions": ".mozilla.org",
"toStaticHTML": true,
"liveConnectInterception": true,
"audioApiInterception": true,
"doNotTrack.enabled": true,
"doNotTrack.exceptions": "",
"doNotTrack.forced": "",
"ajaxFallback.enabled": true,
"sync.enabled": false,
"ABE.rulesets.SYSTEM": "# Prevent Internet sites from requesting LAN resources.\r\nSite LOCAL\r\nAccept from LOCAL\r\nDeny",
"ABE.rulesets.USER": "# User-defined rules. Feel free to experiment here.\r\n",
"ABE.migration": 0,
"smartClickToPlay": true,
"removalWarning": true,
"middlemouse_temp_allow_main_site": true,
"webext.enabled": true
}, Legacy.migrated.prefs
);

49
src/lib/Base64.js Normal file
View File

@ -0,0 +1,49 @@
'use strict';
// we need this because of https://bugzilla.mozilla.org/show_bug.cgi?id=439276
var Base64 = {
purify: function(input) {
return input.replace(/[^A-Za-z0-9\+\/=]+/g, '');
},
alt: function(s) {
// URL base64 variant, see http://en.wikipedia.org/wiki/Base64#URL_applications
return s.replace(/-/g, '+').replace(/_/g, '/')
},
decode: function (input, strict) {
var output = '';
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
// if (/[^A-Za-z0-9\+\/\=]/.test(input)) return ""; // we don't need this, caller checks for us
const k = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
while (i < input.length) {
enc1 = k.indexOf(input.charAt(i++));
enc2 = k.indexOf(input.charAt(i++));
enc3 = k.indexOf(input.charAt(i++));
enc4 = k.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output += String.fromCharCode(chr1);
if (enc3 != 64) {
output += String.fromCharCode(chr2);
}
if (enc4 != 64) {
output += String.fromCharCode(chr3);
}
}
return output;
}
};

841
src/lib/fastclick.js Normal file
View File

@ -0,0 +1,841 @@
;(function () {
'use strict';
/**
* @preserve FastClick: polyfill to remove click delays on browsers with touch UIs.
*
* @codingstandard ftlabs-jsv2
* @copyright The Financial Times Limited [All Rights Reserved]
* @license MIT License (see LICENSE.txt)
*/
/*jslint browser:true, node:true*/
/*global define, Event, Node*/
/**
* Instantiate fast-clicking listeners on the specified layer.
*
* @constructor
* @param {Element} layer The layer to listen on
* @param {Object} [options={}] The options to override the defaults
*/
function FastClick(layer, options) {
var oldOnClick;
options = options || {};
/**
* Whether a click is currently being tracked.
*
* @type boolean
*/
this.trackingClick = false;
/**
* Timestamp for when click tracking started.
*
* @type number
*/
this.trackingClickStart = 0;
/**
* The element being tracked for a click.
*
* @type EventTarget
*/
this.targetElement = null;
/**
* X-coordinate of touch start event.
*
* @type number
*/
this.touchStartX = 0;
/**
* Y-coordinate of touch start event.
*
* @type number
*/
this.touchStartY = 0;
/**
* ID of the last touch, retrieved from Touch.identifier.
*
* @type number
*/
this.lastTouchIdentifier = 0;
/**
* Touchmove boundary, beyond which a click will be cancelled.
*
* @type number
*/
this.touchBoundary = options.touchBoundary || 10;
/**
* The FastClick layer.
*
* @type Element
*/
this.layer = layer;
/**
* The minimum time between tap(touchstart and touchend) events
*
* @type number
*/
this.tapDelay = options.tapDelay || 200;
/**
* The maximum time for a tap
*
* @type number
*/
this.tapTimeout = options.tapTimeout || 700;
if (FastClick.notNeeded(layer)) {
return;
}
// Some old versions of Android don't have Function.prototype.bind
function bind(method, context) {
return function() { return method.apply(context, arguments); };
}
var methods = ['onMouse', 'onClick', 'onTouchStart', 'onTouchMove', 'onTouchEnd', 'onTouchCancel'];
var context = this;
for (var i = 0, l = methods.length; i < l; i++) {
context[methods[i]] = bind(context[methods[i]], context);
}
// Set up event handlers as required
if (deviceIsAndroid) {
layer.addEventListener('mouseover', this.onMouse, true);
layer.addEventListener('mousedown', this.onMouse, true);
layer.addEventListener('mouseup', this.onMouse, true);
}
layer.addEventListener('click', this.onClick, true);
layer.addEventListener('touchstart', this.onTouchStart, false);
layer.addEventListener('touchmove', this.onTouchMove, false);
layer.addEventListener('touchend', this.onTouchEnd, false);
layer.addEventListener('touchcancel', this.onTouchCancel, false);
// Hack is required for browsers that don't support Event#stopImmediatePropagation (e.g. Android 2)
// which is how FastClick normally stops click events bubbling to callbacks registered on the FastClick
// layer when they are cancelled.
if (!Event.prototype.stopImmediatePropagation) {
layer.removeEventListener = function(type, callback, capture) {
var rmv = Node.prototype.removeEventListener;
if (type === 'click') {
rmv.call(layer, type, callback.hijacked || callback, capture);
} else {
rmv.call(layer, type, callback, capture);
}
};
layer.addEventListener = function(type, callback, capture) {
var adv = Node.prototype.addEventListener;
if (type === 'click') {
adv.call(layer, type, callback.hijacked || (callback.hijacked = function(event) {
if (!event.propagationStopped) {
callback(event);
}
}), capture);
} else {
adv.call(layer, type, callback, capture);
}
};
}
// If a handler is already declared in the element's onclick attribute, it will be fired before
// FastClick's onClick handler. Fix this by pulling out the user-defined handler function and
// adding it as listener.
if (typeof layer.onclick === 'function') {
// Android browser on at least 3.2 requires a new reference to the function in layer.onclick
// - the old one won't work if passed to addEventListener directly.
oldOnClick = layer.onclick;
layer.addEventListener('click', function(event) {
oldOnClick(event);
}, false);
layer.onclick = null;
}
}
/**
* Windows Phone 8.1 fakes user agent string to look like Android and iPhone.
*
* @type boolean
*/
var deviceIsWindowsPhone = navigator.userAgent.indexOf("Windows Phone") >= 0;
/**
* Android requires exceptions.
*
* @type boolean
*/
var deviceIsAndroid = navigator.userAgent.indexOf('Android') > 0 && !deviceIsWindowsPhone;
/**
* iOS requires exceptions.
*
* @type boolean
*/
var deviceIsIOS = /iP(ad|hone|od)/.test(navigator.userAgent) && !deviceIsWindowsPhone;
/**
* iOS 4 requires an exception for select elements.
*
* @type boolean
*/
var deviceIsIOS4 = deviceIsIOS && (/OS 4_\d(_\d)?/).test(navigator.userAgent);
/**
* iOS 6.0-7.* requires the target element to be manually derived
*
* @type boolean
*/
var deviceIsIOSWithBadTarget = deviceIsIOS && (/OS [6-7]_\d/).test(navigator.userAgent);
/**
* BlackBerry requires exceptions.
*
* @type boolean
*/
var deviceIsBlackBerry10 = navigator.userAgent.indexOf('BB10') > 0;
/**
* Determine whether a given element requires a native click.
*
* @param {EventTarget|Element} target Target DOM element
* @returns {boolean} Returns true if the element needs a native click
*/
FastClick.prototype.needsClick = function(target) {
switch (target.nodeName.toLowerCase()) {
// Don't send a synthetic click to disabled inputs (issue #62)
case 'button':
case 'select':
case 'textarea':
if (target.disabled) {
return true;
}
break;
case 'input':
// File inputs need real clicks on iOS 6 due to a browser bug (issue #68)
if ((deviceIsIOS && target.type === 'file') || target.disabled) {
return true;
}
break;
case 'label':
case 'iframe': // iOS8 homescreen apps can prevent events bubbling into frames
case 'video':
return true;
}
return (/\bneedsclick\b/).test(target.className);
};
/**
* Determine whether a given element requires a call to focus to simulate click into element.
*
* @param {EventTarget|Element} target Target DOM element
* @returns {boolean} Returns true if the element requires a call to focus to simulate native click.
*/
FastClick.prototype.needsFocus = function(target) {
switch (target.nodeName.toLowerCase()) {
case 'textarea':
return true;
case 'select':
return !deviceIsAndroid;
case 'input':
switch (target.type) {
case 'button':
case 'checkbox':
case 'file':
case 'image':
case 'radio':
case 'submit':
return false;
}
// No point in attempting to focus disabled inputs
return !target.disabled && !target.readOnly;
default:
return (/\bneedsfocus\b/).test(target.className);
}
};
/**
* Send a click event to the specified element.
*
* @param {EventTarget|Element} targetElement
* @param {Event} event
*/
FastClick.prototype.sendClick = function(targetElement, event) {
var clickEvent, touch;
// On some Android devices activeElement needs to be blurred otherwise the synthetic click will have no effect (#24)
if (document.activeElement && document.activeElement !== targetElement) {
document.activeElement.blur();
}
touch = event.changedTouches[0];
// Synthesise a click event, with an extra attribute so it can be tracked
clickEvent = document.createEvent('MouseEvents');
clickEvent.initMouseEvent(this.determineEventType(targetElement), true, true, window, 1, touch.screenX, touch.screenY, touch.clientX, touch.clientY, false, false, false, false, 0, null);
clickEvent.forwardedTouchEvent = true;
targetElement.dispatchEvent(clickEvent);
};
FastClick.prototype.determineEventType = function(targetElement) {
//Issue #159: Android Chrome Select Box does not open with a synthetic click event
if (deviceIsAndroid && targetElement.tagName.toLowerCase() === 'select') {
return 'mousedown';
}
return 'click';
};
/**
* @param {EventTarget|Element} targetElement
*/
FastClick.prototype.focus = function(targetElement) {
var length;
// Issue #160: on iOS 7, some input elements (e.g. date datetime month) throw a vague TypeError on setSelectionRange. These elements don't have an integer value for the selectionStart and selectionEnd properties, but unfortunately that can't be used for detection because accessing the properties also throws a TypeError. Just check the type instead. Filed as Apple bug #15122724.
if (deviceIsIOS && targetElement.setSelectionRange && targetElement.type.indexOf('date') !== 0 && targetElement.type !== 'time' && targetElement.type !== 'month' && targetElement.type !== 'email') {
length = targetElement.value.length;
targetElement.setSelectionRange(length, length);
} else {
targetElement.focus();
}
};
/**
* Check whether the given target element is a child of a scrollable layer and if so, set a flag on it.
*
* @param {EventTarget|Element} targetElement
*/
FastClick.prototype.updateScrollParent = function(targetElement) {
var scrollParent, parentElement;
scrollParent = targetElement.fastClickScrollParent;
// Attempt to discover whether the target element is contained within a scrollable layer. Re-check if the
// target element was moved to another parent.
if (!scrollParent || !scrollParent.contains(targetElement)) {
parentElement = targetElement;
do {
if (parentElement.scrollHeight > parentElement.offsetHeight) {
scrollParent = parentElement;
targetElement.fastClickScrollParent = parentElement;
break;
}
parentElement = parentElement.parentElement;
} while (parentElement);
}
// Always update the scroll top tracker if possible.
if (scrollParent) {
scrollParent.fastClickLastScrollTop = scrollParent.scrollTop;
}
};
/**
* @param {EventTarget} targetElement
* @returns {Element|EventTarget}
*/
FastClick.prototype.getTargetElementFromEventTarget = function(eventTarget) {
// On some older browsers (notably Safari on iOS 4.1 - see issue #56) the event target may be a text node.
if (eventTarget.nodeType === Node.TEXT_NODE) {
return eventTarget.parentNode;
}
return eventTarget;
};
/**
* On touch start, record the position and scroll offset.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.onTouchStart = function(event) {
var targetElement, touch, selection;
// Ignore multiple touches, otherwise pinch-to-zoom is prevented if both fingers are on the FastClick element (issue #111).
if (event.targetTouches.length > 1) {
return true;
}
targetElement = this.getTargetElementFromEventTarget(event.target);
touch = event.targetTouches[0];
if (deviceIsIOS) {
// Only trusted events will deselect text on iOS (issue #49)
selection = window.getSelection();
if (selection.rangeCount && !selection.isCollapsed) {
return true;
}
if (!deviceIsIOS4) {
// Weird things happen on iOS when an alert or confirm dialog is opened from a click event callback (issue #23):
// when the user next taps anywhere else on the page, new touchstart and touchend events are dispatched
// with the same identifier as the touch event that previously triggered the click that triggered the alert.
// Sadly, there is an issue on iOS 4 that causes some normal touch events to have the same identifier as an
// immediately preceeding touch event (issue #52), so this fix is unavailable on that platform.
// Issue 120: touch.identifier is 0 when Chrome dev tools 'Emulate touch events' is set with an iOS device UA string,
// which causes all touch events to be ignored. As this block only applies to iOS, and iOS identifiers are always long,
// random integers, it's safe to to continue if the identifier is 0 here.
if (touch.identifier && touch.identifier === this.lastTouchIdentifier) {
event.preventDefault();
return false;
}
this.lastTouchIdentifier = touch.identifier;
// If the target element is a child of a scrollable layer (using -webkit-overflow-scrolling: touch) and:
// 1) the user does a fling scroll on the scrollable layer
// 2) the user stops the fling scroll with another tap
// then the event.target of the last 'touchend' event will be the element that was under the user's finger
// when the fling scroll was started, causing FastClick to send a click event to that layer - unless a check
// is made to ensure that a parent layer was not scrolled before sending a synthetic click (issue #42).
this.updateScrollParent(targetElement);
}
}
this.trackingClick = true;
this.trackingClickStart = event.timeStamp;
this.targetElement = targetElement;
this.touchStartX = touch.pageX;
this.touchStartY = touch.pageY;
// Prevent phantom clicks on fast double-tap (issue #36)
if ((event.timeStamp - this.lastClickTime) < this.tapDelay) {
event.preventDefault();
}
return true;
};
/**
* Based on a touchmove event object, check whether the touch has moved past a boundary since it started.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.touchHasMoved = function(event) {
var touch = event.changedTouches[0], boundary = this.touchBoundary;
if (Math.abs(touch.pageX - this.touchStartX) > boundary || Math.abs(touch.pageY - this.touchStartY) > boundary) {
return true;
}
return false;
};
/**
* Update the last position.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.onTouchMove = function(event) {
if (!this.trackingClick) {
return true;
}
// If the touch has moved, cancel the click tracking
if (this.targetElement !== this.getTargetElementFromEventTarget(event.target) || this.touchHasMoved(event)) {
this.trackingClick = false;
this.targetElement = null;
}
return true;
};
/**
* Attempt to find the labelled control for the given label element.
*
* @param {EventTarget|HTMLLabelElement} labelElement
* @returns {Element|null}
*/
FastClick.prototype.findControl = function(labelElement) {
// Fast path for newer browsers supporting the HTML5 control attribute
if (labelElement.control !== undefined) {
return labelElement.control;
}
// All browsers under test that support touch events also support the HTML5 htmlFor attribute
if (labelElement.htmlFor) {
return document.getElementById(labelElement.htmlFor);
}
// If no for attribute exists, attempt to retrieve the first labellable descendant element
// the list of which is defined here: http://www.w3.org/TR/html5/forms.html#category-label
return labelElement.querySelector('button, input:not([type=hidden]), keygen, meter, output, progress, select, textarea');
};
/**
* On touch end, determine whether to send a click event at once.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.onTouchEnd = function(event) {
var forElement, trackingClickStart, targetTagName, scrollParent, touch, targetElement = this.targetElement;
if (!this.trackingClick) {
return true;
}
// Prevent phantom clicks on fast double-tap (issue #36)
if ((event.timeStamp - this.lastClickTime) < this.tapDelay) {
this.cancelNextClick = true;
return true;
}
if ((event.timeStamp - this.trackingClickStart) > this.tapTimeout) {
return true;
}
// Reset to prevent wrong click cancel on input (issue #156).
this.cancelNextClick = false;
this.lastClickTime = event.timeStamp;
trackingClickStart = this.trackingClickStart;
this.trackingClick = false;
this.trackingClickStart = 0;
// On some iOS devices, the targetElement supplied with the event is invalid if the layer
// is performing a transition or scroll, and has to be re-detected manually. Note that
// for this to function correctly, it must be called *after* the event target is checked!
// See issue #57; also filed as rdar://13048589 .
if (deviceIsIOSWithBadTarget) {
touch = event.changedTouches[0];
// In certain cases arguments of elementFromPoint can be negative, so prevent setting targetElement to null
targetElement = document.elementFromPoint(touch.pageX - window.pageXOffset, touch.pageY - window.pageYOffset) || targetElement;
targetElement.fastClickScrollParent = this.targetElement.fastClickScrollParent;
}
targetTagName = targetElement.tagName.toLowerCase();
if (targetTagName === 'label') {
forElement = this.findControl(targetElement);
if (forElement) {
this.focus(targetElement);
if (deviceIsAndroid) {
return false;
}
targetElement = forElement;
}
} else if (this.needsFocus(targetElement)) {
// Case 1: If the touch started a while ago (best guess is 100ms based on tests for issue #36) then focus will be triggered anyway. Return early and unset the target element reference so that the subsequent click will be allowed through.
// Case 2: Without this exception for input elements tapped when the document is contained in an iframe, then any inputted text won't be visible even though the value attribute is updated as the user types (issue #37).
if ((event.timeStamp - trackingClickStart) > 100 || (deviceIsIOS && window.top !== window && targetTagName === 'input')) {
this.targetElement = null;
return false;
}
this.focus(targetElement);
this.sendClick(targetElement, event);
// Select elements need the event to go through on iOS 4, otherwise the selector menu won't open.
// Also this breaks opening selects when VoiceOver is active on iOS6, iOS7 (and possibly others)
if (!deviceIsIOS || targetTagName !== 'select') {
this.targetElement = null;
event.preventDefault();
}
return false;
}
if (deviceIsIOS && !deviceIsIOS4) {
// Don't send a synthetic click event if the target element is contained within a parent layer that was scrolled
// and this tap is being used to stop the scrolling (usually initiated by a fling - issue #42).
scrollParent = targetElement.fastClickScrollParent;
if (scrollParent && scrollParent.fastClickLastScrollTop !== scrollParent.scrollTop) {
return true;
}
}
// Prevent the actual click from going though - unless the target node is marked as requiring
// real clicks or if it is in the whitelist in which case only non-programmatic clicks are permitted.
if (!this.needsClick(targetElement)) {
event.preventDefault();
this.sendClick(targetElement, event);
}
return false;
};
/**
* On touch cancel, stop tracking the click.
*
* @returns {void}
*/
FastClick.prototype.onTouchCancel = function() {
this.trackingClick = false;
this.targetElement = null;
};
/**
* Determine mouse events which should be permitted.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.onMouse = function(event) {
// If a target element was never set (because a touch event was never fired) allow the event
if (!this.targetElement) {
return true;
}
if (event.forwardedTouchEvent) {
return true;
}
// Programmatically generated events targeting a specific element should be permitted
if (!event.cancelable) {
return true;
}
// Derive and check the target element to see whether the mouse event needs to be permitted;
// unless explicitly enabled, prevent non-touch click events from triggering actions,
// to prevent ghost/doubleclicks.
if (!this.needsClick(this.targetElement) || this.cancelNextClick) {
// Prevent any user-added listeners declared on FastClick element from being fired.
if (event.stopImmediatePropagation) {
event.stopImmediatePropagation();
} else {
// Part of the hack for browsers that don't support Event#stopImmediatePropagation (e.g. Android 2)
event.propagationStopped = true;
}
// Cancel the event
event.stopPropagation();
event.preventDefault();
return false;
}
// If the mouse event is permitted, return true for the action to go through.
return true;
};
/**
* On actual clicks, determine whether this is a touch-generated click, a click action occurring
* naturally after a delay after a touch (which needs to be cancelled to avoid duplication), or
* an actual click which should be permitted.
*
* @param {Event} event
* @returns {boolean}
*/
FastClick.prototype.onClick = function(event) {
var permitted;
// It's possible for another FastClick-like library delivered with third-party code to fire a click event before FastClick does (issue #44). In that case, set the click-tracking flag back to false and return early. This will cause onTouchEnd to return early.
if (this.trackingClick) {
this.targetElement = null;
this.trackingClick = false;
return true;
}
// Very odd behaviour on iOS (issue #18): if a submit element is present inside a form and the user hits enter in the iOS simulator or clicks the Go button on the pop-up OS keyboard the a kind of 'fake' click event will be triggered with the submit-type input element as the target.
if (event.target.type === 'submit' && event.detail === 0) {
return true;
}
permitted = this.onMouse(event);
// Only unset targetElement if the click is not permitted. This will ensure that the check for !targetElement in onMouse fails and the browser's click doesn't go through.
if (!permitted) {
this.targetElement = null;
}
// If clicks are permitted, return true for the action to go through.
return permitted;
};
/**
* Remove all FastClick's event listeners.
*
* @returns {void}
*/
FastClick.prototype.destroy = function() {
var layer = this.layer;
if (deviceIsAndroid) {
layer.removeEventListener('mouseover', this.onMouse, true);
layer.removeEventListener('mousedown', this.onMouse, true);
layer.removeEventListener('mouseup', this.onMouse, true);
}
layer.removeEventListener('click', this.onClick, true);
layer.removeEventListener('touchstart', this.onTouchStart, false);
layer.removeEventListener('touchmove', this.onTouchMove, false);
layer.removeEventListener('touchend', this.onTouchEnd, false);
layer.removeEventListener('touchcancel', this.onTouchCancel, false);
};
/**
* Check whether FastClick is needed.
*
* @param {Element} layer The layer to listen on
*/
FastClick.notNeeded = function(layer) {
var metaViewport;
var chromeVersion;
var blackberryVersion;
var firefoxVersion;
// Devices that don't support touch don't need FastClick
if (typeof window.ontouchstart === 'undefined') {
return true;
}
// Chrome version - zero for other browsers
chromeVersion = +(/Chrome\/([0-9]+)/.exec(navigator.userAgent) || [,0])[1];
if (chromeVersion) {
if (deviceIsAndroid) {
metaViewport = document.querySelector('meta[name=viewport]');
if (metaViewport) {
// Chrome on Android with user-scalable="no" doesn't need FastClick (issue #89)
if (metaViewport.content.indexOf('user-scalable=no') !== -1) {
return true;
}
// Chrome 32 and above with width=device-width or less don't need FastClick
if (chromeVersion > 31 && document.documentElement.scrollWidth <= window.outerWidth) {
return true;
}
}
// Chrome desktop doesn't need FastClick (issue #15)
} else {
return true;
}
}
if (deviceIsBlackBerry10) {
blackberryVersion = navigator.userAgent.match(/Version\/([0-9]*)\.([0-9]*)/);
// BlackBerry 10.3+ does not require Fastclick library.
// https://github.com/ftlabs/fastclick/issues/251
if (blackberryVersion[1] >= 10 && blackberryVersion[2] >= 3) {
metaViewport = document.querySelector('meta[name=viewport]');
if (metaViewport) {
// user-scalable=no eliminates click delay.
if (metaViewport.content.indexOf('user-scalable=no') !== -1) {
return true;
}
// width=device-width (or less than device-width) eliminates click delay.
if (document.documentElement.scrollWidth <= window.outerWidth) {
return true;
}
}
}
}
// IE10 with -ms-touch-action: none or manipulation, which disables double-tap-to-zoom (issue #97)
if (layer.style.msTouchAction === 'none' || layer.style.touchAction === 'manipulation') {
return true;
}
// Firefox version - zero for other browsers
firefoxVersion = +(/Firefox\/([0-9]+)/.exec(navigator.userAgent) || [,0])[1];
if (firefoxVersion >= 27) {
// Firefox 27+ does not have tap delay if the content is not zoomable - https://bugzilla.mozilla.org/show_bug.cgi?id=922896
metaViewport = document.querySelector('meta[name=viewport]');
if (metaViewport && (metaViewport.content.indexOf('user-scalable=no') !== -1 || document.documentElement.scrollWidth <= window.outerWidth)) {
return true;
}
}
// IE11: prefixed -ms-touch-action is no longer supported and it's recomended to use non-prefixed version
// http://msdn.microsoft.com/en-us/library/windows/apps/Hh767313.aspx
if (layer.style.touchAction === 'none' || layer.style.touchAction === 'manipulation') {
return true;
}
return false;
};
/**
* Factory method for creating a FastClick object
*
* @param {Element} layer The layer to listen on
* @param {Object} [options={}] The options to override the defaults
*/
FastClick.attach = function(layer, options) {
return new FastClick(layer, options);
};
if (typeof define === 'function' && typeof define.amd === 'object' && define.amd) {
// AMD. Register as an anonymous module.
define(function() {
return FastClick;
});
} else if (typeof module !== 'undefined' && module.exports) {
module.exports = FastClick.attach;
module.exports.FastClick = FastClick;
} else {
window.FastClick = FastClick;
}
}());

22
src/lib/fastclick.js.LICENSE.txt Normal file
View File

@ -0,0 +1,22 @@
Copyright (c) 2014 The Financial Times Ltd.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

21
src/lib/flextabs.LICENSE.txt Normal file
View File

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2016 mdmoreau
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

17
src/lib/flextabs.css Normal file
View File

@ -0,0 +1,17 @@
.flextabs {
display: flex;
flex-wrap: wrap;
}
.flextabs__tab {
width: 100%;
}
.flextabs__content {
display: none;
width: 100%;
}
.flextabs__content--active {
display: block;
}

68
src/lib/flextabs.js Normal file
View File

@ -0,0 +1,68 @@
(function(root, factory) {
if (typeof define === 'function' && define.amd) {
define([], factory);
} else if (typeof module === 'object' && module.exports) {
module.exports = factory();
} else {
root.flextabs = factory();
}
}(this, function() {
var flextabs = function(target) {
var _ = {};
_.flextabs = target;
_.toggle = _.flextabs.querySelectorAll('.flextabs__toggle');
_.content = _.flextabs.querySelectorAll('.flextabs__content');
_.reset = function() {
for (var i = 0; i < _.toggle.length; i += 1) {
_.toggle[i].classList.remove('flextabs__toggle--active--last');
_.content[i].classList.remove('flextabs__content--active--last');
}
};
_.activate = function() {
var i = Array.prototype.indexOf.call(_.toggle, this);
_.toggle[i].classList.toggle('flextabs__toggle--active');
_.toggle[i].classList.add('flextabs__toggle--active--last');
_.content[i].classList.toggle('flextabs__content--active');
_.content[i].classList.add('flextabs__content--active--last');
};
_.aria = function() {
for (var i = 0; i < _.toggle.length; i += 1) {
var style = getComputedStyle(_.content[i]);
if (style.getPropertyValue('display') !== 'none') {
_.toggle[i].setAttribute('aria-expanded', true);
} else {
_.toggle[i].setAttribute('aria-expanded', false);
}
}
};
_.click = function(e) {
e.preventDefault();
_.reset();
_.activate.call(this);
_.aria();
};
_.init = function() {
for (var i = 0; i < _.toggle.length; i += 1) {
window.addEventListener('load', _.aria);
window.addEventListener('resize', _.aria);
_.toggle[i].addEventListener('click', _.click);
}
};
return _;
};
return flextabs;
}));

35
src/lib/include.js Normal file
View File

@ -0,0 +1,35 @@
var include = (() =>
{
let _inclusions = new Map();
function scriptLoader(src) {
let script = document.createElement("script");
script.src = src;
return script;
}
function styleLoader(src) {
let style = document.createElement("link");
style.rel = "stylesheet";
style.type = "text/css";
style.href = src;
return style;
}
return async function include(src) {
if (_inclusions.has(src)) return await _inclusions.get(src);
if (Array.isArray(src)) {
return await Promise.all(src.map(s => include(s)));
}
debug("Including", src);
let loading = new Promise((resolve, reject) => {
let inc = src.endsWith(".css") ? styleLoader(src) : scriptLoader(src);
inc.onload = () => resolve(inc);
inc.onerror = () => reject(new Error(`Failed to load ${src}`));
document.head.appendChild(inc);
});
_inclusions.set(src, loading);
return await (loading);
}
})();

14
src/lib/log.js Normal file
View File

@ -0,0 +1,14 @@
{
let PREFIX = `[${browser.runtime.getManifest().name}]`;
function log(msg, ...rest) {
console.log(`${PREFIX} ${msg}`, ...rest);
}
function debug(msg, ...rest) {
console.debug(`${PREFIX} ${msg}`, ...rest);
}
function error(e, msg, ...rest) {
console.error(`${PREFIX} ${msg}`, e, e.message, e.stack);
}
}

21
src/lib/persistent-tabs.js Normal file
View File

@ -0,0 +1,21 @@
if (typeof flextabs === "function") {
for (let tabs of document.querySelectorAll(".flextabs")) {
flextabs(tabs).init();
let {id} = tabs;
if (!id) continue;
let rx = new RegExp(`(?:^|[#;])tab-${id}=(\\d+)(?:;|$)`);
let current = location.hash.match(rx);
console.log(`persisted %o`, current);
let toggles = tabs.querySelectorAll(".flextabs__toggle");
let currentToggle = toggles[current && parseInt(current[1]) || 0];
if (currentToggle) currentToggle.click();
for (let toggle of toggles) {
toggle.addEventListener("click", e => {
let currentIdx = Array.indexOf(toggles, toggle);
location.hash = location.hash.split(";").filter(p => !rx.test(p))
.concat(`tab-${id}=${currentIdx}`).join(";");
});
}
}
}

533
src/lib/punycode.js Normal file
View File

@ -0,0 +1,533 @@
/*! https://mths.be/punycode v1.4.1 by @mathias */
;(function(root) {
/** Detect free variables */
var freeExports = typeof exports == 'object' && exports &&
!exports.nodeType && exports;
var freeModule = typeof module == 'object' && module &&
!module.nodeType && module;
var freeGlobal = typeof global == 'object' && global;
if (
freeGlobal.global === freeGlobal ||
freeGlobal.window === freeGlobal ||
freeGlobal.self === freeGlobal
) {
root = freeGlobal;
}
/**
* The `punycode` object.
* @name punycode
* @type Object
*/
var punycode,
/** Highest positive signed 32-bit float value */
maxInt = 2147483647, // aka. 0x7FFFFFFF or 2^31-1
/** Bootstring parameters */
base = 36,
tMin = 1,
tMax = 26,
skew = 38,
damp = 700,
initialBias = 72,
initialN = 128, // 0x80
delimiter = '-', // '\x2D'
/** Regular expressions */
regexPunycode = /^xn--/,
regexNonASCII = /[^\x20-\x7E]/, // unprintable ASCII chars + non-ASCII chars
regexSeparators = /[\x2E\u3002\uFF0E\uFF61]/g, // RFC 3490 separators
/** Error messages */
errors = {
'overflow': 'Overflow: input needs wider integers to process',
'not-basic': 'Illegal input >= 0x80 (not a basic code point)',
'invalid-input': 'Invalid input'
},
/** Convenience shortcuts */
baseMinusTMin = base - tMin,
floor = Math.floor,
stringFromCharCode = String.fromCharCode,
/** Temporary variable */
key;
/*--------------------------------------------------------------------------*/
/**
* A generic error utility function.
* @private
* @param {String} type The error type.
* @returns {Error} Throws a `RangeError` with the applicable error message.
*/
function error(type) {
throw new RangeError(errors[type]);
}
/**
* A generic `Array#map` utility function.
* @private
* @param {Array} array The array to iterate over.
* @param {Function} callback The function that gets called for every array
* item.
* @returns {Array} A new array of values returned by the callback function.
*/
function map(array, fn) {
var length = array.length;
var result = [];
while (length--) {
result[length] = fn(array[length]);
}
return result;
}
/**
* A simple `Array#map`-like wrapper to work with domain name strings or email
* addresses.
* @private
* @param {String} domain The domain name or email address.
* @param {Function} callback The function that gets called for every
* character.
* @returns {Array} A new string of characters returned by the callback
* function.
*/
function mapDomain(string, fn) {
var parts = string.split('@');
var result = '';
if (parts.length > 1) {
// In email addresses, only the domain name should be punycoded. Leave
// the local part (i.e. everything up to `@`) intact.
result = parts[0] + '@';
string = parts[1];
}
// Avoid `split(regex)` for IE8 compatibility. See #17.
string = string.replace(regexSeparators, '\x2E');
var labels = string.split('.');
var encoded = map(labels, fn).join('.');
return result + encoded;
}
/**
* Creates an array containing the numeric code points of each Unicode
* character in the string. While JavaScript uses UCS-2 internally,
* this function will convert a pair of surrogate halves (each of which
* UCS-2 exposes as separate characters) into a single code point,
* matching UTF-16.
* @see `punycode.ucs2.encode`
* @see <https://mathiasbynens.be/notes/javascript-encoding>
* @memberOf punycode.ucs2
* @name decode
* @param {String} string The Unicode input string (UCS-2).
* @returns {Array} The new array of code points.
*/
function ucs2decode(string) {
var output = [],
counter = 0,
length = string.length,
value,
extra;
while (counter < length) {
value = string.charCodeAt(counter++);
if (value >= 0xD800 && value <= 0xDBFF && counter < length) {
// high surrogate, and there is a next character
extra = string.charCodeAt(counter++);
if ((extra & 0xFC00) == 0xDC00) { // low surrogate
output.push(((value & 0x3FF) << 10) + (extra & 0x3FF) + 0x10000);
} else {
// unmatched surrogate; only append this code unit, in case the next
// code unit is the high surrogate of a surrogate pair
output.push(value);
counter--;
}
} else {
output.push(value);
}
}
return output;
}
/**
* Creates a string based on an array of numeric code points.
* @see `punycode.ucs2.decode`
* @memberOf punycode.ucs2
* @name encode
* @param {Array} codePoints The array of numeric code points.
* @returns {String} The new Unicode string (UCS-2).
*/
function ucs2encode(array) {
return map(array, function(value) {
var output = '';
if (value > 0xFFFF) {
value -= 0x10000;
output += stringFromCharCode(value >>> 10 & 0x3FF | 0xD800);
value = 0xDC00 | value & 0x3FF;
}
output += stringFromCharCode(value);
return output;
}).join('');
}
/**
* Converts a basic code point into a digit/integer.
* @see `digitToBasic()`
* @private
* @param {Number} codePoint The basic numeric code point value.
* @returns {Number} The numeric value of a basic code point (for use in
* representing integers) in the range `0` to `base - 1`, or `base` if
* the code point does not represent a value.
*/
function basicToDigit(codePoint) {
if (codePoint - 48 < 10) {
return codePoint - 22;
}
if (codePoint - 65 < 26) {
return codePoint - 65;
}
if (codePoint - 97 < 26) {
return codePoint - 97;
}
return base;
}
/**
* Converts a digit/integer into a basic code point.
* @see `basicToDigit()`
* @private
* @param {Number} digit The numeric value of a basic code point.
* @returns {Number} The basic code point whose value (when used for
* representing integers) is `digit`, which needs to be in the range
* `0` to `base - 1`. If `flag` is non-zero, the uppercase form is
* used; else, the lowercase form is used. The behavior is undefined
* if `flag` is non-zero and `digit` has no uppercase form.
*/
function digitToBasic(digit, flag) {
// 0..25 map to ASCII a..z or A..Z
// 26..35 map to ASCII 0..9
return digit + 22 + 75 * (digit < 26) - ((flag != 0) << 5);
}
/**
* Bias adaptation function as per section 3.4 of RFC 3492.
* https://tools.ietf.org/html/rfc3492#section-3.4
* @private
*/
function adapt(delta, numPoints, firstTime) {
var k = 0;
delta = firstTime ? floor(delta / damp) : delta >> 1;
delta += floor(delta / numPoints);
for (/* no initialization */; delta > baseMinusTMin * tMax >> 1; k += base) {
delta = floor(delta / baseMinusTMin);
}
return floor(k + (baseMinusTMin + 1) * delta / (delta + skew));
}
/**
* Converts a Punycode string of ASCII-only symbols to a string of Unicode
* symbols.
* @memberOf punycode
* @param {String} input The Punycode string of ASCII-only symbols.
* @returns {String} The resulting string of Unicode symbols.
*/
function decode(input) {
// Don't use UCS-2
var output = [],
inputLength = input.length,
out,
i = 0,
n = initialN,
bias = initialBias,
basic,
j,
index,
oldi,
w,
k,
digit,
t,
/** Cached calculation results */
baseMinusT;
// Handle the basic code points: let `basic` be the number of input code
// points before the last delimiter, or `0` if there is none, then copy
// the first basic code points to the output.
basic = input.lastIndexOf(delimiter);
if (basic < 0) {
basic = 0;
}
for (j = 0; j < basic; ++j) {
// if it's not a basic code point
if (input.charCodeAt(j) >= 0x80) {
error('not-basic');
}
output.push(input.charCodeAt(j));
}
// Main decoding loop: start just after the last delimiter if any basic code
// points were copied; start at the beginning otherwise.
for (index = basic > 0 ? basic + 1 : 0; index < inputLength; /* no final expression */) {
// `index` is the index of the next character to be consumed.
// Decode a generalized variable-length integer into `delta`,
// which gets added to `i`. The overflow checking is easier
// if we increase `i` as we go, then subtract off its starting
// value at the end to obtain `delta`.
for (oldi = i, w = 1, k = base; /* no condition */; k += base) {
if (index >= inputLength) {
error('invalid-input');
}
digit = basicToDigit(input.charCodeAt(index++));
if (digit >= base || digit > floor((maxInt - i) / w)) {
error('overflow');
}
i += digit * w;
t = k <= bias ? tMin : (k >= bias + tMax ? tMax : k - bias);
if (digit < t) {
break;
}
baseMinusT = base - t;
if (w > floor(maxInt / baseMinusT)) {
error('overflow');
}
w *= baseMinusT;
}
out = output.length + 1;
bias = adapt(i - oldi, out, oldi == 0);
// `i` was supposed to wrap around from `out` to `0`,
// incrementing `n` each time, so we'll fix that now:
if (floor(i / out) > maxInt - n) {
error('overflow');
}
n += floor(i / out);
i %= out;
// Insert `n` at position `i` of the output
output.splice(i++, 0, n);
}
return ucs2encode(output);
}
/**
* Converts a string of Unicode symbols (e.g. a domain name label) to a
* Punycode string of ASCII-only symbols.
* @memberOf punycode
* @param {String} input The string of Unicode symbols.
* @returns {String} The resulting Punycode string of ASCII-only symbols.
*/
function encode(input) {
var n,
delta,
handledCPCount,
basicLength,
bias,
j,
m,
q,
k,
t,
currentValue,
output = [],
/** `inputLength` will hold the number of code points in `input`. */
inputLength,
/** Cached calculation results */
handledCPCountPlusOne,
baseMinusT,
qMinusT;
// Convert the input in UCS-2 to Unicode
input = ucs2decode(input);
// Cache the length
inputLength = input.length;
// Initialize the state
n = initialN;
delta = 0;
bias = initialBias;
// Handle the basic code points
for (j = 0; j < inputLength; ++j) {
currentValue = input[j];
if (currentValue < 0x80) {
output.push(stringFromCharCode(currentValue));
}
}
handledCPCount = basicLength = output.length;
// `handledCPCount` is the number of code points that have been handled;
// `basicLength` is the number of basic code points.
// Finish the basic string - if it is not empty - with a delimiter
if (basicLength) {
output.push(delimiter);
}
// Main encoding loop:
while (handledCPCount < inputLength) {
// All non-basic code points < n have been handled already. Find the next
// larger one:
for (m = maxInt, j = 0; j < inputLength; ++j) {
currentValue = input[j];
if (currentValue >= n && currentValue < m) {
m = currentValue;
}
}
// Increase `delta` enough to advance the decoder's <n,i> state to <m,0>,
// but guard against overflow
handledCPCountPlusOne = handledCPCount + 1;
if (m - n > floor((maxInt - delta) / handledCPCountPlusOne)) {
error('overflow');
}
delta += (m - n) * handledCPCountPlusOne;
n = m;
for (j = 0; j < inputLength; ++j) {
currentValue = input[j];
if (currentValue < n && ++delta > maxInt) {
error('overflow');
}
if (currentValue == n) {
// Represent delta as a generalized variable-length integer
for (q = delta, k = base; /* no condition */; k += base) {
t = k <= bias ? tMin : (k >= bias + tMax ? tMax : k - bias);
if (q < t) {
break;
}
qMinusT = q - t;
baseMinusT = base - t;
output.push(
stringFromCharCode(digitToBasic(t + qMinusT % baseMinusT, 0))
);
q = floor(qMinusT / baseMinusT);
}
output.push(stringFromCharCode(digitToBasic(q, 0)));
bias = adapt(delta, handledCPCountPlusOne, handledCPCount == basicLength);
delta = 0;
++handledCPCount;
}
}
++delta;
++n;
}
return output.join('');
}
/**
* Converts a Punycode string representing a domain name or an email address
* to Unicode. Only the Punycoded parts of the input will be converted, i.e.
* it doesn't matter if you call it on a string that has already been
* converted to Unicode.
* @memberOf punycode
* @param {String} input The Punycoded domain name or email address to
* convert to Unicode.
* @returns {String} The Unicode representation of the given Punycode
* string.
*/
function toUnicode(input) {
return mapDomain(input, function(string) {
return regexPunycode.test(string)
? decode(string.slice(4).toLowerCase())
: string;
});
}
/**
* Converts a Unicode string representing a domain name or an email address to
* Punycode. Only the non-ASCII parts of the domain name will be converted,
* i.e. it doesn't matter if you call it with a domain that's already in
* ASCII.
* @memberOf punycode
* @param {String} input The domain name or email address to convert, as a
* Unicode string.
* @returns {String} The Punycode representation of the given domain name or
* email address.
*/
function toASCII(input) {
return mapDomain(input, function(string) {
return regexNonASCII.test(string)
? 'xn--' + encode(string)
: string;
});
}
/*--------------------------------------------------------------------------*/
/** Define the public API */
punycode = {
/**
* A string representing the current Punycode.js version number.
* @memberOf punycode
* @type String
*/
'version': '1.4.1',
/**
* An object of methods to convert from JavaScript's internal character
* representation (UCS-2) to Unicode code points, and back.
* @see <https://mathiasbynens.be/notes/javascript-encoding>
* @memberOf punycode
* @type Object
*/
'ucs2': {
'decode': ucs2decode,
'encode': ucs2encode
},
'decode': decode,
'encode': encode,
'toASCII': toASCII,
'toUnicode': toUnicode
};
/** Expose `punycode` */
// Some AMD build optimizers, like r.js, check for specific condition patterns
// like the following:
if (
typeof define == 'function' &&
typeof define.amd == 'object' &&
define.amd
) {
define('punycode', function() {
return punycode;
});
} else if (freeExports && freeModule) {
if (module.exports == freeExports) {
// in Node.js, io.js, or RingoJS v0.8.0+
freeModule.exports = punycode;
} else {
// in Narwhal or RingoJS v0.7.0-
for (key in punycode) {
punycode.hasOwnProperty(key) && (freeExports[key] = punycode[key]);
}
}
} else {
// in Rhino or a web browser
root.punycode = punycode;
}
}(this));

20
src/lib/punycode.js.LICENSE.txt Normal file
View File

@ -0,0 +1,20 @@
Copyright Mathias Bynens <https://mathiasbynens.be/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

46
src/lib/tld.js Normal file
View File

File diff suppressed because one or more lines are too long

6
src/lib/uuid.js Normal file
View File

@ -0,0 +1,6 @@
'use strict';
function uuid() {
return ([1e7]+-1e3+-4e3+-8e3+-1e11).replace(/[018]/g,
c => (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4)
.toString(16));
}

101
src/manifest.json Normal file
View File

@ -0,0 +1,101 @@
{
"manifest_version": 2,
"default_locale": "en",
"name": "NoScript",
"applications": {
"gecko": {
"id": "{73a6fe31-595d-460b-a920-fcc0f8843232}",
"strict_min_version": "59.0"
}
},
"version": "10.1.8.3rc4",
"description": "__MSG_Description__",
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'none'",
"icons": {
"48": "img/icon48.png",
"96": "img/icon96.png",
"256": "img/icon256.png"
},
"permissions": [
"contextMenus",
"privacy",
"storage",
"tabs",
"unlimitedStorage",
"webNavigation",
"webRequest",
"webRequestBlocking",
"<all_urls>"
],
"background": {
"persistent": true,
"scripts": [
"lib/uuid.js",
"lib/log.js",
"lib/include.js",
"lib/punycode.js",
"lib/tld.js",
"common/Policy.js",
"common/locale.js",
"common/Entities.js",
"common/SyntaxChecker.js",
"common/Storage.js",
"ui/Prompts.js",
"xss/XSS.js",
"bg/main.js"
]
},
"content_scripts": [
{
"run_at": "document_start",
"matches": ["<all_urls>"],
"match_about_blank": true,
"all_frames": true,
"js": [
"lib/log.js",
"content/onScriptDisabled.js",
"content/content.js",
"content/PlaceHolder.js"
]
},
{
"matches": ["<all_urls>"],
"match_about_blank": true,
"all_frames": true,
"css": [
"/content/content.css"
]
}
],
"options_ui": {
"page": "ui/options.html",
"open_in_tab": true
},
"browser_action": {
"default_area": "navbar",
"default_title": "NoScript",
"default_icon": {
"64": "img/ui-maybe64.png"
}
},
"commands": {
"_execute_browser_action": {
"suggested_key": {
"default": "Alt+Shift+N"
}
},
"togglePermissions": {
"suggested_key": {
"default": "Ctrl+Shift+T"
}
}
}
}

29
src/test/Policy_test.js Normal file
View File

@ -0,0 +1,29 @@
{
let p1 = new Policy();
p1.set("noscript.net", new Permissions(["script"], true));
p1.set("https://noscript.net", new Permissions(["script", "object"]));
p1.set("maone.net", p1.TRUSTED.tempTwin);
p1.set(Sites.secureDomainKey("secure.informaction.com"), p1.TRUSTED);
p1.set("https://flashgot.net", p1.TRUSTED);
p1.set("http://flashgot.net", p1.UNTRUSTED);
p1.set("perchè.com", p1.TRUSTED);
let p2 = new Policy(p1.dry());
debug("p1", JSON.stringify(p1.dry()));
debug("p2", JSON.stringify(p2.dry()));
for(let t of [
() => p2.can("https://noscript.net"),
() => !p2.can("http://noscript.net"),
() => p2.can("https://noscript.net", "object"),
() => p1.snapshot !== p2.snapshot,
() => JSON.stringify(p1.dry()) === JSON.stringify(p2.dry()),
() => p1.can("http://perchè.com/test") /* IDN encoding */,
() => Sites.toExternal(new URL("https://perché.com/test")) ===
"https://perché.com/test" /* IDN decoding */,
() => !p1.can("http://secure.informaction.com"),
() => p1.can("https://secure.informaction.com"),
() => p1.can("https://www.secure.informaction.com"),
]) Test.run(t);
Test.report();
}

43
src/test/Test.js Normal file
View File

@ -0,0 +1,43 @@
var Test = (() => {
'use strict';
return {
passed: 0,
failed: 0,
async include(tests) {
for(let test of tests) {
let src = `/test/${test}_test.js`;
log(`Testing ${test}`);
this.passed = this.failed = 0;
try {
await include(src);
} catch (e) {
// we might omit some tests in publicly available code for Security
// reasons, e.g. XSS_test.js
log("Missing test ", test);
continue;
}
}
},
async run(test, msg = "", callback = null) {
let r = false;
try {
r = await test();
} catch(e) {
error(e);
}
this[r ? "passed" : "failed"]++;
log(`${r ? "PASSED" : "FAILED"} ${msg || uneval(test)}`);
if (typeof callback === "function") try {
callback(r, test, msg);
} catch(e) {
error(e);
}
},
report() {
let {passed, failed} = this;
log(`FAILED: ${failed}, PASSED: ${passed}, TOTAL ${passed + failed}.`);
}
};
})();

16
src/test/XSS_test.js Normal file
View File

@ -0,0 +1,16 @@
{
let y = async (url, originUrl = '') => await XSS.maybe({originUrl, url, method: "GET"});
let n = async (...args) => !await y(...args);
Promise.all([
() => y("https://noscript.net/<script"),
() => n("https://noscript.net/<script", "https://noscript.net/"),
() => y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"),
() => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3Ejavascrip%3Cx%3Et:alert(%3Cx%3E1)%3C/p%3E%3Cmath%3E%3Ca%20href=%22%23*/=x.innerText,a%22%20xml:base=javascript:location/*%3EClick%20HERE"),
() => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23%250ax.innerText%20xml:base=javascript:%3C!--%3EClick%20HERE"),
() => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23*/x.innerText%20xml:base=%01javascript:/*%3EClick%20HERE"),
() => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
() => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
() => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
].map(t => Test.run(t))
).then(() => Test.report());
}

8
src/test/run.js Normal file
View File

@ -0,0 +1,8 @@
(async () => {
await include("/test/Test.js");
Test.include([
"Policy",
"XSS",
"embargoed/XSS",
]);
})();

101
src/ui/Prompts.js Normal file
View File

@ -0,0 +1,101 @@
var Prompts = (() => {
var promptData;
var backlog = [];
class WindowManager {
async open(data) {
promptData = data;
this.close();
this.currentWindow = await browser.windows.create({
url: browser.extension.getURL("ui/prompt.html"),
type: "panel",
allowScriptsToClose: true,
// titlePreface: "NoScript ",
width: data.features.width,
height: data.features.height,
});
}
async close() {
if (this.currentWindow) {
try {
await browser.windows.remove(this.currentWindow.id);
} catch (e) {
debug(e);
}
this.currentWindow = null;
}
}
async focus() {
if (this.currentWindow) {
try {
await browser.windows.update(this.currentWindow.id,
{
focused: true,
}
);
} catch (e) {
error(e, "Focusing popup window");
}
}
}
}
var winMan = new WindowManager();
var Prompts = {
DEFAULTS: {
title: "",
message: "Proceed?",
options: [],
checks: [],
buttons: [_("Ok"), _("Cancel")],
multiple: "close", // or "queue", or "focus"
width: 400,
height: 300,
},
async prompt(features) {
features = Object.assign({}, this.DEFAULTS, features || {});
return new Promise((resolve, reject) => {
let data = {
features,
result: {
button: -1,
checks: [],
option: null,
},
done() {
this.done = () => {};
winMan.close();
resolve(this.result);
if (backlog.length) {
winMan.open(backlog.shift());
} else {
promptData = null;
}
}
};
if (promptData) {
backlog.push(data);
switch(promptData.features.multiple) {
case "focus":
winMan.focus();
case "queue":
break;
default:
promptData.done();
}
} else {
winMan.open(data);
}
});
},
get promptData() {
return promptData;
}
}
return Prompts;
})();

187
src/ui/options.css Normal file
View File

@ -0,0 +1,187 @@
/* @import url("chrome://browser/content/extension.css"); */
body {
background: #eee url("/img/noscript-options.png") no-repeat fixed top right;
background-size: 8em;
padding: 0 2em 0 0;
margin: 0.5em 0.5em 0.5em 0.5em;
}
.mobile body {
background-size: 4em;
padding-right: 0;
}
#header {
display: flex;
flex-flow: column;
padding: 0;
margin: 0 6em 0 0;
text-align: right;
}
#header h1 {
color: #048;
text-shadow: 0.06em 0.06em 0.06em rgba(0,0,0,.5);
font-size: 2em;
padding: 0;
margin: 0;
text-align: right;
}
#version {
color: #048;
font-size: 0.75em;
padding: 0;
margin: 0 0 0.5em;
display: block;
text-align: right;
}
.buttons {
display: flex;
flex-flow: row wrap;
justify-content: flex-end;
width: 100%;
text-align: right;
}
#sect-general {
display: flex;
flex-direction: column;
justify-content: space-around;
font-size: 1em;
}
#sect-general label, #sect-general button, #sect-general span {
white-space: nowrap;
}
.opt-group {
display: flex;
flex-flow: row wrap;
justify-content: flex-start;
border-bottom: 1px solid rgba(255, 255, 255, .5);
padding: .5em 0;
}
.opt-group:last-child {
border-bottom: none;
margin-bottom: .5em;
}
section form, section fieldset {
margin: .5em 0;
}
fieldset:disabled {
opacity: .5;
}
.opt-group > span {
margin: 0 .5em;
}
.sect-sites form {
display: flex;
align-items: baseline;
flex-wrap: wrap;
justify-content: space-between;
}
.sect-sites form > label {
white-space: nowrap;
}
#newsite {
flex: 2 2;
}
#policy {
display: block;
margin-top: .5em;
min-height: 20em;
width: 90%;
}
.hide, div.debug {
display: none;
}
body.debug div.debug {
display: initial;
}
.error {
background: #ff8;
color: red;
}
#policy-error {
background: red;
color: #ff8;
padding: 0;
margin: 0;
font-weight: bold;
}
input, button {
font-size: 1em;
}
button.add {
font-weight: bold;
}
input[type="file"] {
display: none;
}
.opt-group {
padding: 0.5em 0;
}
#xssFaq {
padding: 0.5em 1em;
}
#clearclick-options {
display: none;
}
.flextabs__tab {
/* shift all tabs to appear before content */
order: -1;
/* let tabs scale to fit multiple on each row */
width: auto;
margin: 0;
}
.flextabs__content--active {
/* ignore states activated for multi (accordion) toggle view */
display: none;
}
.flextabs__content--active--last {
/* show the last activated item */
display: block;
}
.flextabs__content, .flextabs__toggle[aria-expanded="true"] {
background-color: rgba(200, 200, 200, .5) !important;
border: 0 solid #888;
}
.flextabs__toggle {
-moz-appearance: none;
border-width: 0 1px 0 0 !important;
margin: 0 4px 0 0;
background: #ccc;
outline-width: 1px 0 0 0 !important;
}
.flextabs__content {
border-width: 0 1px 1px 0;
border-radius: 0 .5em 0 0;
padding: .5em;
}
.flextabs__toggle {
border-radius: .2em .2em 0 0;
padding: .2em .4em;
}

125
src/ui/options.html Normal file
View File

@ -0,0 +1,125 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>NoScript Settings</title>
<meta charset="utf-8">
<link rel="icon" href="/img/noscript-options.png">
<link rel="stylesheet" href="/lib/flextabs.css" />
<link rel="stylesheet" href="options.css" />
<link rel="stylesheet" href="whirlpool.css" />
<script src="/lib/include.js"></script>
<script src="/lib/log.js"></script>
<script src="/lib/flextabs.js"></script>
<script src="/common/locale.js"></script>
<script src="/ui/ui.js"></script>
</head>
<body>
<div id="header">
<h1 >
NoScript Options
</h1>
<div>
<span id="version"></span>
</div>
<div class="buttons">
<span><input id="file-import" type="file"/></span>
<button id="btn-import" accesskey="__MSG_Import_accesskey__">__MSG_Import__</button>
<button id="btn-export" accesskey="__MSG_Export_accesskey__">__MSG_Export__</button>
<button id="btn-reset" accesskey="__MSG_Reset_accesskey__">__MSG_Reset__</button>
</div>
</div>
<section id="sect-io">
</section>
<div id="main-tabs" class="flextabs">
<h3 class="flextabs__tab"><button class="flextabs__toggle">__MSG_SectionGeneral__</button></h3>
<div class="flextabs__content flextabs__content--active--last">
<section id="sect-general">
<div class="opt-group">
<span id="global-opt">
<input type="checkbox" id="opt-global"><label for="opt-global" id="lbl-global">__MSG_NoEnforcement__</label>
</span>
<span id="auto-opt">
<input type="checkbox" class="enforcement_required" id="opt-auto"><label for="opt-auto" id="lbl-auto">__MSG_AutoAllowTopLevel__</label>
</span>
</div>
<fieldset class="enforcement_required">
<legend accesskey="__MSG_CustomizePresets_accesskey__">__MSG_CustomizePresets__</legend>
<div id="presets"></div>
</fieldset>
</section>
</div>
<h3 class="flextabs__tab"><button class="flextabs__toggle enforcement_required">__MSG_SectionSitePermissions__</button></h3>
<div class="flextabs__content">
<section class="sect-sites">
<form id="form-newsite" class="browser-style" >
<label id="newsite-label" for="newsite" accesskey="__MSG_WebAddress_accesskey__">__MSG_WebAddress__</label><input name="newsite" id="newsite" type="text" placeholder="[https://]noscript.net"
><button class="add">+</button>
</form>
<div id="sites">
<div class="cssload-container">
<div class="cssload-whirlpool"></div>
</div>
</div>
</section>
</div>
<h3 class="flextabs__tab appearance_tab"><button class="flextabs__toggle">__MSG_SectionAppearance__</button></h3>
<div class="flextabs__content appearance_tab">
<div class="opt-group desktop">
<span id="showCtxMenuItem-opt">
<input type="checkbox" id="opt-showCtxMenuItem">
<label for="opt-showCtxMenuItem" id="lbl-showCtxMenuItem">__MSG_ShowCtxMenuItem__</label>
</span>
</div>
<div class="opt-group desktop">
<span id="showCountBadge-opt">
<input type="checkbox" id="opt-showCountBadge">
<label for="opt-showCountBadge" id="lbl-showCountBadge">__MSG_ShowCountBadge__</label>
</span>
</div>
<div class="opt-group">
<span id="showFullAddresses-opt">
<input type="checkbox" id="opt-showFullAddresses">
<label for="opt-showFullAddresses" id="lbl-showFullAddresses">__MSG_ShowFullAddresses__</label>
</span>
</div>
</div>
<h3 class="flextabs__tab"><button class="flextabs__toggle">__MSG_SectionAdvanced__</button></h3>
<div class="flextabs__content">
<div class="opt-group">
<span id="xss-opts">
<input type="checkbox" id="opt-xss"><label for="opt-xss" id="lbl-xss">__MSG_OptFilterXGet__</label>
<span id="xssFaq">(<a href="https://noscript.net/faq#xss" title="https://noscript.net/faq#xss">__MSG_XssFaq__</a>)</span>
</span>
<button id="btn-delete-xss-choices" disabled>__MSG_XSS_clearUserChoices__</button>
</div>
<div id="clearclick-options" class="opt-group">
<input type="checkbox" id="opt-clearclick"><label for="opt-clearclick" id="lbl-clearclick">ClearClick</label>
</div>
<section id="debug" class="browser-style">
<div class="opt-group">
<span><input type="checkbox" id="opt-debug"><label id="label-debug" for="opt-debug">Debug</label></span>
</div>
<div id="debug-tools" class="debug browser-style">
<label for="policy">Policy:</label>
<div id="policy-error"></div>
<textarea id="policy" class="browser-style">
</textarea>
</div>
</section>
</div>
</div>
<script src="/lib/persistent-tabs.js"></script>
<script src="options.js"></script>
</body>
</html>

220
src/ui/options.js Normal file
View File

@ -0,0 +1,220 @@
'use strict';
(async () => {
await UI.init();
let policy = UI.policy;
let version = browser.runtime.getManifest().version;
document.querySelector("#version").textContent = _("Version", version);
// simple general options
opt("global", o => {
if (o) {
policy.enforced = !o.checked;
UI.updateSettings({policy});
}
let {enforced} = policy;
let disabled = !enforced;
for (let e of document.querySelectorAll(".enforcement_required")) {
e.disabled = disabled;
}
return disabled;
});
opt("auto", o => {
if (o) {
policy.autoAllowTop = o.checked;
UI.updateSettings({policy});
}
return policy.autoAllowTop;
});
opt("xss");
{
let button = document.querySelector("#btn-reset");
button.onclick = async () => {
if (confirm(_("reset_warning"))) {
policy = new Policy();
await UI.updateSettings({policy, local: null, sync: null, xssUserChoices: {}});
window.location.reload();
}
}
let fileInput = document.querySelector("#file-import");
fileInput.onchange = () => {
let fr = new FileReader();
fr.onload = async () => {
try {
await UI.importSettings(fr.result);
} catch (e) {
error(e, "Importing settings %s", fr.result);
}
location.reload();
}
fr.readAsText(fileInput.files[0]);
}
button = document.querySelector("#btn-import");
button.onclick = () => fileInput.click();
document.querySelector("#btn-export").addEventListener("click", async e => {
let button = e.target;
button.disabled = true;
let settings = await UI.exportSettings();
let f = document.createElement("iframe");
f.srcdoc = `<a download="noscript_data.txt" target="_blank">NoScript Export</a>`;
f.style.position = "fixed";
f.style.top = "-999px";
f.style.height = "1px";
f.onload = () => {
let w = f.contentWindow;
let a = w.document.querySelector("a");
a.href = w.URL.createObjectURL(new w.Blob([settings], {
type: "text/plain"
}));
a.click();
setTimeout(() => {
f.remove();
button.disabled = false;
}, 1000);
};
document.body.appendChild(f);
});
}
{
let a = document.querySelector("#xssFaq a");
a.onclick = e => {
e.preventDefault();
browser.tabs.create({
url: a.href
});
}
let button = document.querySelector("#btn-delete-xss-choices");
let choices = UI.xssUserChoices;
button.disabled = Object.keys(choices).length === 0;
button.onclick = () => {
UI.updateSettings({
xssUserChoices: {}
});
button.disabled = true
};
}
opt("clearclick");
opt("debug", "local", b => {
document.body.classList.toggle("debug", b);
if (b) updateRawPolicyEditor();
});
// Appearance
opt("showCountBadge", "local");
opt("showCtxMenuItem", "local");
opt("showFullAddresses", "local");
// PRESET CUSTOMIZER
{
let parent = document.getElementById("presets");
let presetsUI = new UI.Sites(parent,
{"DEFAULT": true, "TRUSTED": true, "UNTRUSTED": true});
presetsUI.render([""]);
window.setTimeout(() => {
let def = parent.querySelector('input.preset[value="DEFAULT"]');
def.checked = true;
def.click();
}, 10);
}
// SITES UI
let sitesUI = new UI.Sites(document.getElementById("sites"));
{
sitesUI.onChange = () => {
if (UI.local.debug) {
updateRawPolicyEditor();
}
};
let sites = policy.sites;
sitesUI.render(sites);
let newSiteForm = document.querySelector("#form-newsite");
let newSiteInput = newSiteForm.newsite;
let button = newSiteForm.querySelector("button");
let canAdd = s => policy.get(s).siteMatch === null;
let validate = () => {
let site = newSiteInput.value.trim();
button.disabled = !(Sites.isValid(site) && canAdd(site));
sitesUI.filterSites(site);
}
validate();
newSiteInput.addEventListener("input", validate);
newSiteForm.addEventListener("submit", e => {
e.preventDefault();
e.stopPropagation();
let site = newSiteInput.value.trim();
let valid = Sites.isValid(site);
if (valid && canAdd(site)) {
policy.set(site, policy.TRUSTED);
UI.updateSettings({policy});
newSiteInput.value = "";
sitesUI.render(policy.sites);
sitesUI.highlight(site);
sitesUI.onChange();
}
}, true);
}
// UTILITY FUNCTIONS
async function opt(name, storage = "sync", onchange) {
let input = document.querySelector(`#opt-${name}`);
if (!input) {
debug("Checkbox not found %s", name);
return;
}
if (typeof storage === "function") {
input.onchange = e => storage(input);
input.checked = storage(null);
} else {
let obj = UI[storage];
if (!obj) log(storage);
input.checked = obj[name];
if (onchange) onchange(input.checked);
input.onchange = async () => {
obj[name] = input.checked;
await UI.updateSettings({[storage]: obj});
if (onchange) onchange(obj[name]);
}
}
}
function updateRawPolicyEditor() {
if (!UI.local.debug) return;
// RAW POLICY EDITING (debug only)
let policyEditor = document.getElementById("policy");
policyEditor.value = JSON.stringify(policy.dry(true), null, 2);
if (!policyEditor.onchange) policyEditor.onchange = (e) => {
let ed = e.currentTarget
try {
policy = new Policy(JSON.parse(ed.value));
UI.updateSettings({policy});
sitesUI.render(policy.sites);
ed.className = "";
document.getElementById("policy-error").textContent = "";
} catch (e) {
error(e);
ed.className = "error";
document.getElementById("policy-error").textContent = e.message;
}
}
}
})();

235
src/ui/popup.css Normal file
View File

@ -0,0 +1,235 @@
body {
background: white;
}
#top {
font-size: 1em;
position: relative;
margin: 0;
height: 2.4em;
min-width: 18.75em;
border-bottom: 0.06em solid #eee;
display: flex;
-moz-user-select: none;
}
#top a {
appearance: none !important;
-moz-appearance: none !important;
width: 2em;
height: 2em;
margin: 0.25em;
cursor: pointer;
font-size: 1em;
font-family: sans-serif;
font-weight: bold;
color: black;
background: transparent no-repeat center;
background-size: 100%;
transform: unset;
transition: all 0.3s;
border: none;
display: block;
top: 0;
padding: 0;
text-align: left;
vertical-align: middle;
line-height: 1em;
}
#top > .spacer {
flex-grow: 1;
display: block;
cursor: pointer;
}
#top > .hider.open ~ .spacer {
display: none;
}
.hider {
background: #ccc;
box-shadow: inset 0 1px 3px #444;
border-radius: 1em 1em 0 0;
display: none;
position: relative;
margin: .25em 1.5em;
padding: 0;
height: 2em;
overflow: hidden;
opacity: .5;
}
.hider.open {
display: flex;
flex-grow: 1;
opacity: 1;
padding-left: 2em;
}
.hider:hover {
opacity: 1;
}
.hider:not(.open):not(.empty) {
display: block;
text-align: right;
line-height: 1em;
overflow: hidden;
width: 2em;
}
.reveal {
display: block;
padding: .3em;
margin: 0;
}
.hider.open > .reveal {
display: none !important;
}
.hider:not(.open) > :not(.reveal) {
display: none !important;
}
.hider-label {
position: absolute;
z-index: 100;
top: .5em;
right: .5em;
color: #222;
text-align: right;
vertical-align: middle;
line-height: 100%;
font-size: 1em;
font-weight: bold;
pointer-events: none;
text-shadow: -2px 0 2px white, 2px 0 2px white;
}
.hider-close {
-moz-appearance: none;
appearance: none;
color: black;
background: transparent;
padding: 0;
border-radius: .2em;
border: none;
position: absolute;
left: .2em;
top: 0;
font-size: 1em;
z-index: 100;
vertical-align: middle;
padding: .2em;
}
.hider-close:hover, .reveal:hover {
color: white !important;
text-shadow: -2px 0 2px red, 2px 0 2px red;
}
.hider > .icon {
opacity: .7;
margin: 0 .25em;
padding: 0;
}
#top > a:hover {
transform: scale(1.2);
}
#top a.icon {
text-indent: -500em;
color: transparent;
}
#top #revoke-temp {
background-image: url(/img/ui-revoke-temp64.png);
}
#top #temp-trust-page {
background-image: url(/img/ui-temp-all64.png);
}
#top #enforce-tab {
background-image: url(/img/ui-tab-no64.png);
}
#top #enforce-tab[aria-pressed="true"] {
background-image: url(/img/ui-tab64.png);
}
#top #enforce {
background-image: url(/img/ui-global-no64.png);
}
#top #enforce[aria-pressed="true"] {
background-image: url(/img/ui-global64.png);
}
#top #options {
background-image: url(/img/noscript-options.png);
}
#top #close {
background-image: url(/img/ui-close64.png);
}
#top #reload {
background-image: url(/img/ui-reload64.png);
}
#sites {
margin: 0.5em 0.25em;
}
#content {
text-align: center;
}
#buttons {
text-align: center;
margin: 0.5em;
display: flex;
justify-content: space-around;
}
#buttons button {
flex-grow: 1;
margin: .5em 2em;
}
.disabled .toggle.icon, .toggle.icon:disabled {
opacity: .2;
pointer-events: none;
}
#message {
height: auto;
margin: .5em;
padding: .8em 0 0 2.5em;
background-size: 2em;
background-position: left top;
background-repeat: no-repeat;
min-height: 3em;
transition: height .5s;
font-size: 1.2em;
vertical-align: middle;
}
#message.hidden {
display: none;
height: 0;
min-height: 0;
overflow: hidden;
}
.warning {
background-image: url("/img/warning64.png");
}
.error {
background-image: url("/img/error64.png");
}

41
src/ui/popup.html Normal file
View File

@ -0,0 +1,41 @@
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta charset="utf-8">
<title>NoScript Settings</title>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="popup.css" />
<script src="/lib/include.js"></script>
<script src="/lib/log.js"></script>
<script src="/common/locale.js"></script>
<script src="/ui/ui.js"></script>
</head>
<body>
<div id="main">
<div id="top">
<a aria-role="button" id="close" class="close icon">__MSG_Close__</a>
<a aria-role="button" id="reload" class="reload icon">__MSG_Reload__</a>
<a aria-role="button" id="options" class="options icon">__MSG_Options__</a>
<div class="hider">
<a aria-role="button" class="reveal" title="__MSG_Reveal__">🡆</a>
<div class="hider-label">__MSG_Hider__</div>
<button class="hider-close">🗙</button>
</div>
<div class="spacer"></div>
<a aria-role="button" id="enforce" class="toggle icon"></a>
<a aria-role="button" id="enforce-tab" class="toggle icon"></a>
<a aria-role="button" id="temp-trust-page" class="toggle icon">__MSG_TempTrustPage__</a>
<a aria-role="button" id="revoke-temp" class="toggle icon">__MSG_RevokeTemp__</a>
</div>
<div id="message" class="hidden"></div>
<div id="content"></div>
<div id="sites"></div>
<div id="buttons">
</div>
</div>
<script src="popup.js"></script>
</body>
</html>

249
src/ui/popup.js Normal file
View File

@ -0,0 +1,249 @@
'use strict';
var sitesUI;
addEventListener("unload", e => {
if (!UI.initialized) {
browser.runtime.sendMessage({
type: "openStandalonePopup"
});
}
});
(async () => {
function showMessage(className, message) {
let el = document.getElementById("message");
el.textContent = message;
el.className = className;
}
try {
let tabId;
let pendingReload = false;
let isBrowserAction = true;
let optionsClosed = false;
let tab = (await browser.tabs.query({
windowId: browser.windows ?
(await browser.windows.getLastFocused({windowTypes: ["normal"]})).id
: null,
active: true
}))[0];
if (!tab || tab.id === -1) {
log("No tab found to open the UI for");
close();
}
if (tab.url === document.URL) {
isBrowserAction = false;
try {
tabId = parseInt(document.URL.match(/#.*\btab(\d+)/)[1]);
} catch (e) {
close();
}
addEventListener("blur", close);
} else {
tabId = tab.id;
}
await UI.init(tabId);
if (isBrowserAction) {
browser.tabs.onActivated.addListener(e => {
if (e.tabId !== tabId) close();
});
}
await include("/ui/toolbar.js");
{
let clickHandlers = {
"options": e => {
browser.runtime.openOptionsPage();
close();
},
"close": close,
"reload": reload,
"temp-trust-page": e => sitesUI.tempTrustAll(),
"revoke-temp": e => {
UI.revokeTemp();
close();
}
};
for (let [id, handler] of Object.entries(clickHandlers)) {
document.getElementById(id).onclick = handler;
}
}
{
let policy = UI.policy;
let pressed = policy.enforced;
let button = document.getElementById("enforce");
button.setAttribute("aria-pressed", pressed);
button.textContent = button.title = _(pressed ? "NoEnforcement" : "Enforce");
button.onclick = () => {
policy.enforced = !pressed;
UI.updateSettings({policy, reloadAffected: true});
close();
}
}
{
let pressed = !UI.unrestrictedTab;
let button = document.getElementById("enforce-tab");
button.setAttribute("aria-pressed", pressed);
button.textContent = button.title = _(pressed ? "NoEnforcementForTab" : "EnforceForTab");
if (UI.policy.enforced) {
button.onclick = () => {
UI.updateSettings({
unrestrictedTab: pressed,
reloadAffected: true,
});
close();
}
} else {
button.disabled = true;
}
}
let mainFrame = UI.seen && UI.seen.find(thing => thing.request.type === "main_frame");
debug("Seen: %o", UI.seen);
if (!mainFrame) {
if (/^https?:/.test(tab.url) && !tab.url.startsWith("https://addons.mozilla.org/")) {
document.body.classList.add("disabled");
showMessage("warning", _("freshInstallReload"));
let buttons = document.querySelector("#buttons");
let b = document.createElement("button");
b.textContent = _("OK");
b.onclick = document.getElementById("reload").onclick = () => {
reload();
close();
}
buttons.appendChild(b);
b = document.createElement("button");
b.textContent = _("Cancel");
b.onclick = () => close();
buttons.appendChild(b);
return;
}
showMessage("warning", _("privilegedPage"));
document.getElementById("temp-trust-page").disabled = true;
if (!UI.seen) return;
}
let justDomains = !UI.local.showFullAddresses;
sitesUI = new UI.Sites(document.getElementById("sites"));
sitesUI.onChange = (row) => {
pendingReload = !row.temp2perm;
if (optionsClosed) return;
browser.tabs.query({url: browser.runtime.getManifest().options_ui.page })
.then(tabs => {
browser.tabs.remove(tabs.map(t => t.id));
});
optionsClosed = true;
};
initSitesUI();
UI.onSettings = initSitesUI;
function initSitesUI() {
pendingReload = false;
let {
typesMap
} = sitesUI;
typesMap.clear();
let policySites = UI.policy.sites;
let domains = new Map();
function urlToLabel(url) {
let {
origin
} = url;
let match = policySites.match(url);
if (match) return match;
if (domains.has(origin)) {
if (justDomains) return domains.get(origin);
} else {
let domain = tld.getDomain(url.hostname);
domain = url.protocol === "https:" ? Sites.secureDomainKey(domain) : domain;
domains.set(origin, domain);
if (justDomains) return domain;
}
return origin;
}
let seen = UI.seen;
let parsedSeen = seen.map(thing => Object.assign({
type: thing.policyType
}, Sites.parse(thing.request.url)))
.filter(parsed => parsed.url && parsed.url.origin !== "null");
let sitesSet = new Set(
parsedSeen.map(parsed => parsed.label = urlToLabel(parsed.url))
);
if (!justDomains) {
for (let domain of domains.values()) sitesSet.add(domain);
}
let sites = [...sitesSet];
for (let parsed of parsedSeen) {
sites.filter(s => parsed.label === s || domains.get(parsed.url.origin) === s).forEach(m => {
let siteTypes = typesMap.get(m);
if (!siteTypes) typesMap.set(m, siteTypes = new Set());
siteTypes.add(parsed.type);
});
}
sitesUI.mainUrl = new URL(mainFrame.request.url)
sitesUI.mainSite = urlToLabel(sitesUI.mainUrl);
sitesUI.mainDomain = tld.getDomain(sitesUI.mainUrl.hostname);
sitesUI.render(sites);
}
function reload() {
if (sitesUI) sitesUI.clear();
browser.tabs.reload(tabId);
pendingReload = false;
}
function close() {
if (isBrowserAction) {
window.close();
} else {
//browser.windows.remove(tab.windowId);
browser.tabs.remove(tab.id);
}
}
let {
onCompleted
} = browser.webNavigation;
let loadSnapshot = sitesUI.snapshot;
let onCompletedListener = navigated => {
if (navigated.tabId === tabId) {
UI.pullSettings();
}
};
onCompleted.addListener(onCompletedListener, {
url: [{
hostContains: sitesUI.mainDomain
}]
});
addEventListener("unload", e => {
onCompleted.removeListener(onCompletedListener);
debug("pendingReload", pendingReload);
if (pendingReload) {
UI.updateSettings({
policy: UI.policy,
reloadAffected: true,
});
}
}, true);
} catch (e) {
error(e, "Can't open popup");
close();
}
})();

91
src/ui/prompt.css Normal file
View File

@ -0,0 +1,91 @@
body {
bottom: 8px;
font-family: sans-serif;
font-size: 12px;
color: #222;
}
#header {
text-align: left;
margin: 0;
line-height: 24px;
color: #048;
position: relative;
font-size: 24px;
z-index: 500;
padding: 8px;
display: block;
background: url(/img/icon96.png) no-repeat top right;
height: 96px;
}
#title {
margin-right: 96px;
font-size: 24px;
position: absolute;
bottom: 0;
top: 0;
}
#main {
background: linear-gradient(to bottom, #e4f5fc 0%,#bfe8f9 41%,#9fd8ef 90%,#2ab0ed 100%) no-repeat;
display: flex;
flex-direction: column;
align-items: center;
padding: 120px 16px 16px 16px;
top: 0;
left: 0;
right:0;
bottom: 0;
position: fixed;
justify-content: center;
}
#message {
flex-grow: 1;
width: 100%;
max-height: 300px;
padding: 8px;
text-align: center;
word-break: break-all;
}
#message.multiline {
overflow: auto;
font-size: 12px;
text-align: justify;
margin-bottom: 16px;
background: rgba(255,255,255,.5);
}
#message.multiline p {
margin: 1px;
padding: 0;
}
#options {
display: flex;
flex-grow: 2;
flex-direction: column;
text-align: left;
align-items:baseline;
justify-content: center;
}
#checks {
display: flex;
flex-direction: column;
flex-grow: 1;
text-align: left;
}
#buttons {
width: 100%;
display: flex;
flex-grow: 0;
flex-direction: row;
align-items: center;
margin: 8px;
justify-content: space-around;
}
#buttons button {
min-width: 100px;
}

32
src/ui/prompt.html Normal file
View File

@ -0,0 +1,32 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="prompt.css" />
<script src="/lib/include.js"></script>
<script src="/lib/log.js"></script>
<script src="/common/locale.js"></script>
<script src="/ui/resize_hack.js"></script>
</head>
<body>
<div id="header">
<h1 id="title"></h1>
</div>
<div id="main">
<div id="message">
</div>
<div id="options">
<input type="radio">
</div>
<div id="checks">
<input type="checkbox">
</div>
<div id="buttons">
<button id="button0" type="submit">OK</button><button id="button1">Cancel</button>
</div>
</div>
<script src="prompt.js"></script>
</body>
</html>

91
src/ui/prompt.js Normal file
View File

@ -0,0 +1,91 @@
(async () => {
window.bg = await browser.runtime.getBackgroundPage();
["Prompts"]
.forEach(p => window[p] = bg[p]);
let data = Prompts.promptData;
debug(data);
let {title, message, options, checks, buttons} = data.features;
function labelFor(el, text) {
let label = document.createElement("label");
label.setAttribute("for", el.id);
label.textContent = text;
return label;
}
function createInput(container, {label, type, name, checked}, count) {
let input = document.createElement("input");
input.type = type;
input.value = count;
input.name = name;
input.checked = checked;
input.id = `${name}-${count}`;
let sub = document.createElement("div");
sub.appendChild(input);
sub.appendChild(labelFor(input, label));
container.appendChild(sub);
}
function createButton(container, label, count) {
let button = document.createElement("button");
if (count === 0) button.type = "submit";
button.id = `${button}-${count}`;
button.value = count;
button.textContent = label;
container.appendChild(button);
}
function renderInputs(container, dataset, type, name) {
if (typeof container === "string") {
container = document.querySelector(container);
}
if (typeof dataset === "string") {
container.innerHTML = dataset;
return;
}
container.innerHTML = "";
let count = 0;
if (dataset && dataset[Symbol.iterator]) {
let create = type === "button" ? createButton : createInput;
for (let data of dataset) {
data.type = type;
data.name = name;
create(container, data, count++);
}
}
}
if (title) {
document.title = title;
document.querySelector("#title").textContent = title;
}
if (message) {
let lines = message.split(/\n/);
let container = document.querySelector("#message");
container.classList.toggle("multiline", lines.length > 1);
message.innerHTML = "";
for (let l of lines) {
let p = document.createElement("p");
p.textContent = l;
container.appendChild(p);
}
}
renderInputs("#options", options, "radio", "opt");
renderInputs("#checks", checks, "checkbox", "flag");
renderInputs("#buttons", buttons, "button", "button");
addEventListener("unload", e => {
data.done();
});
let buttonClicked = e => {
let {result} = data;
result.button = parseInt(e.currentTarget.value);
let option = document.querySelector('#options [type="radio"]:checked');
result.option = option && parseInt(option.value);
result.checks = [...document.querySelectorAll('#checks [type="checkbox"]:checked')]
.map(c => parseInt(c.value));
data.done();
};
for (let b of document.querySelectorAll("#buttons button")) {
b.addEventListener("click", buttonClicked);
}
})();

15
src/ui/resize_hack.js Normal file
View File

@ -0,0 +1,15 @@
document.addEventListener("DOMContentLoaded", async e => {
// Fix for Fx57 bug where bundled page loaded using
// browser.windows.create won't show contents unless resized.
// See https://bugzilla.mozilla.org/show_bug.cgi?id=1402110
let win = await browser.windows.getCurrent({populate: true});
if (win.tabs[0].url === document.URL) {
debug("Resize hack");
await browser.windows.update(win.id, {
width: win.width + 1
});
await browser.windows.update(win.id, {
width: win.width
});
}
});

5
src/ui/siteInfo.html Normal file
View File

@ -0,0 +1,5 @@
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/lib/log.js"></script>
<script src="/lib/include.js"></script>
<script src="siteInfo.js"></script>

20
src/ui/siteInfo.js Normal file
View File

@ -0,0 +1,20 @@
(async () => {
let [domain, tabId] = decodeURIComponent(location.hash.replace("#", "")).split(";");
const BASE = "https://noscript.net";
await include(['/lib/punycode.js', '/common/Storage.js']);
let {siteInfoConsent} = await Storage.get("sync", "siteInfoConsent");
if (!siteInfoConsent) {
await include('/common/locale.js');
siteInfoConsent = confirm(_("siteInfo_confirm", [domain, BASE]));
if (siteInfoConsent) {
await Storage.set("sync", {siteInfoConsent});
} else {
let current = await browser.tabs.getCurrent();
await browser.tabs.update(parseInt(tabId), {active: true});
await browser.tabs.remove(current.id);
return;
}
}
let ace = punycode.toASCII(domain);
location.href = `${BASE}/about/${domain};${ace}`;
})();

117
src/ui/toolbar.js Normal file
View File

@ -0,0 +1,117 @@
{
let toolbar = document.getElementById("top");
let spacer = toolbar.querySelector(".spacer");
let hider = toolbar.querySelector(".hider");
if (UI.local.toolbarLayout) {
debug(uneval(UI.local.toolbarLayout));
let {left, right, hidden} = UI.local.toolbarLayout;
for (let id of left) {
toolbar.insertBefore(document.getElementById(id), hider);
}
for (let id of right) {
toolbar.appendChild(document.getElementById(id));
}
for (let id of hidden) {
hider.appendChild(document.getElementById(id));
}
}
for (let i of toolbar.querySelectorAll(".icon")) {
if (!i.title) i.title = i.textContent;
}
function toggleHider(b) {
let cl = hider.classList;
cl.toggle("open", b);
cl.toggle("empty", !hider.querySelector(".icon"));
}
hider.querySelector(".hider-close").onclick = e => {
toggleHider(false);
};
toggleHider(false);
let dnd = {
dragstart(ev) {
let d = ev.target;
if (hider.querySelectorAll(".icon").length) {
toggleHider(true);
}
if (!d.classList.contains("icon")) {
ev.preventDefault();
return;
}
d.style.opacity = ".5";
let dt = ev.dataTransfer;
dt.setData("text/plain", d.id);
dt.dropEffect = "move";
dt.setDragImage(d, 0, 0);
toggleHider(true);
},
dragend(ev) {
ev.target.style.opacity = "";
},
dragover(ev) {
ev.preventDefault();
},
dragenter(ev) {
let t = ev.target;
},
dragleave(ev) {
let t = ev.target;
},
drop(ev) {
let t = ev.target;
let d = document.getElementById(ev.dataTransfer.getData("text/plain"));
switch(t) {
case hider:
t.appendChild(d);
break;
case toolbar:
t.insertBefore(d, ev.clientX < hider.offsetLeft ? hider : spacer.nextElementSibling);
break;
default:
t.parentNode.insertBefore(d, ev.clientX < (t.offsetLeft + t.offsetWidth) ? t : t.nextElementSibling);
}
let left = [], right = [];
let side = left;
for (let el of document.querySelectorAll("#top > .icon, #top > .spacer")) {
if (el === spacer) {
side = right;
} else {
side.push(el.id);
}
}
UI.local.toolbarLayout = {
left, right,
hidden: Array.map(document.querySelectorAll("#top > .hider > .icon"), el => el.id),
};
debug("%o", UI.local);
UI.updateSettings({local: UI.local});
},
click(ev) {
let el = ev.target;
if (el.parentNode === hider && el.classList.contains("icon")) {
ev.preventDefault();
ev.stopPropagation();
} else if (el === spacer || el.classList.contains("reveal")) {
toggleHider(true);
}
}
};
for (let [action, handler] of Object.entries(dnd)) {
toolbar.addEventListener(action, handler, true);
}
for (let draggable of document.querySelectorAll("#top .icon")) {
draggable.setAttribute("draggable", "true");
}
}

63
src/ui/ui-hc.css Normal file
View File

@ -0,0 +1,63 @@
input {
transform: none !important;
width: auto !important;
position: static !important;
}
input[type="radio"] {
-moz-appearance: radio !important;
padding-right: .2em !important;
}
input[type="checkbox"] {
-moz-appearance: checkbox !important;
}
button {
text-indent: 0 !important;
}
label {
display: initial !important;
position: static !important;
transform: none !important;
opacity: 1 !important;
text-indent: 0 !Important;
position: static;
width: auto !important;
padding: 4px !important;
}
span.preset {
display: block;
width: auto !important;
white-space: nowrap !important;
}
input.temp {
position: static !important;
opacity: 1 !important;
}
.full-address {
font-size: 130%;
}
tr.site {
border-top: 1px solid #888;
}
#top {
display:flex;
flex-flow: row;
justify-content: space-around;
}
#top button {
position: static;
width: auto;
}
#top button.icon {
font-size: 12px !important;
font-family: arial sans-serif !important;
}

391
src/ui/ui.css Normal file
View File

@ -0,0 +1,391 @@
body {
font-family: sans-serif;
font: -moz-use-system-font;
font-size: 12px;
}
.mobile > body {
font-size: 4mm;
min-width: auto;
}
.mobile .desktop {
display: none !important;
}
@media (max-width: 100mm) {
body {
background-size: 4em !important;
padding-right: 0 !important;
}
.presets {
width: 0;
}
.presets input.preset {
min-width: 0 !important;
background-color: none !important;
margin-bottom: 0;
margin-top: 1mm;
font-weight: bold;
}
.presets input.temp {
position: static;
}
.presets label.preset {
font-size: 50%;
top: -1mm;
left: 0;
margin: 0;
padding: 0;
text-align: center;
text-shadow: 0 0 4px #ff8;
position: absolute;
overflow: visible;
}
td.presets {
white-space: nowrap !important;
vertical-align: bottom;
}
.url {
white-space: wrap;
word-break: break-all;
font-size: 75%;
letter-spacing: -0.2mm;
}
}
input[type="text"] {
border: 1px solid;
}
input[type="checkbox"] {
width: 1em;
height: 1em;
}
.presets {
-moz-user-select: none;
}
.sites {
border: 0;
background: white;
border-collapse: collapse;
border-spacing: 0;
width: 100%;
overflow-y: auto;
}
.sites tr, .sites td {
margin: 0;
padding: 0;
border: none;
font-size: 1em;
}
.sites > tr.site:hover, .sites > tr.sites:active {
background: #abf;
}
.sites > tr:nth-child(even) {background: #fff}
.sites > tr:nth-child(odd) {background: #eee}
.site .url {
padding: 0 0 0 0.5em;
color: #ccc;
vertical-align: middle;
}
.site .url .protocol { display: none }
.site .url .domain { cursor: help }
[data-key="domain"] .full-address .host,
[data-key="domain"] .full-address .sub,
[data-key="domain"] .full-address .protocol,
[data-key="host"] .full-address span .protocol,
[data-key="host"] .full-address span .protocol, {
background-color: #afe;
}
[data-key="host"] .full-address span .protocol,
[data-key="domain"] .full-address span .host,
[data-key="domain"] .full-address span .protocol {
border: none;
}
.site .url[data-key="domain"] .domain,
.site .url[data-key="host"] .domain,
.site .url[data-key="host"] .sub,
.site .url[data-key="unsafe"] span {
color: #a00;
}
.site .url[data-key="secure"] .domain,
.site .url[data-key="secure"] .sub,
.site .url[data-key="full"] span {
color: black;
}
.site .url[data-key="full"] span,
.site .url[data-key="unsafe"] span {
display: initial;
}
.site .url .domain {
font-weight: bold;
}
input.https-only {
font-size: 1em;
-moz-appearance: none;
background: url(/img/ui-http64.png) no-repeat center;
background-size: 1.5em;
width: 1.5em;
height: 1.5em;
margin: 0 0 -0.13em 0.13em;
padding:0;
cursor: pointer;
}
input.https-only:checked {
background-image: url(/img/ui-https64.png);
}
label.https-only {
display: none;
}
[data-preset="UNTRUSTED"] .https-only, [data-preset="DEFAULT"] .https-only {
visibility: hidden;
}
td.presets {
font-size: 1em;
white-space: nowrap;
}
.mobile td.presets {
white-space: normal;
}
span.preset {
position: relative;
display: inline-block;
top: 0.13em;
font-size: 1em;
}
.preset label, .preset input, .preset button {
cursor: pointer;
}
.presets input.preset {
font-size: 1em;
-moz-appearance: none;
background: url(/img/ui-no64.png) no-repeat center left;
background-size: 1.5em;
width: 1.5em;
height: 1.5em;
outline: 0;
opacity: .5;
margin: 0 .5em 0.13em .5em;
}
input.preset:active, input.preset:focus, input.preset:hover {
background-color: #ff8;
border-radius: .5em;
}
.presets input.preset:checked, #presets input.preset {
opacity: 1;
transform: none;
min-width: 9.38em;
background-color: #ddd;
border-radius: 0.5em;
}
.presets input.preset:focus {
transform: none;
}
.sites input + label {
font-size: 1em;
line-height: 1.5em;
vertical-align: top;
}
.presets label.preset {
padding: 0;
letter-spacing: -0.06em;
width: 0em;
overflow: hidden;
display: none;
text-transform: uppercase;
color: #000;
opacity: .6;
position: absolute;
left: 0em;
padding-left: 2.5em;
transition: 0.2s all;
}
.presets input.preset[value^="T"] + label {
text-transform: none;
}
.presets input.preset:checked + label, #presets .presets label {
opacity: 1;
width: 100%;
display: inline-block;
}
button.options {
-moz-appearance: none;
border: none;
background: none transparent;
font-family: sans-serif;
font-weight: bold;
color: #048;
text-shadow: -0.06em -0.06em 0.06em #fff, 0.13em 0.13em 0.13em #000;
padding: 0;
margin: 0;
}
.preset .options {
-moz-appearance: none;
border: 0;
background: none;
font-size: 1em;
width: 1em;
height: 1em;
opacity: 0;
position: absolute;
bottom: 0.88em;
left: 1.13em;
pointer-events: none;
}
.preset:hover input.preset:checked ~ .options {
display: block;
opacity: 1;
bottom: 0.38em;
}
input.preset[value="T_TRUSTED"] {
background-image: url(/img/ui-temp64.png);
}
input.preset[value="TRUSTED"] {
background-image: url(/img/ui-yes64.png)
}
input.preset[value="UNTRUSTED"] {
background-image: url(/img/ui-black64.png)
}
input.preset[value="CUSTOM"] {
background-image: url(/img/ui-custom64.png)
}
input.temp {
font-size: 1em;
-moz-appearance: none;
margin: 0;
padding: 0;
border: 0;
opacity: 0;
background: url(/img/ui-clock64.png) no-repeat center;
background-size: 60%;
width: 1.5em;
height: 1.5em;
transition: 0.2s all;
right: 0;
top: 0;
pointer-events: none;
position: absolute;
}
input.temp + label {
display: none;
}
input.preset:checked ~ input.temp {
opacity: .5;
right: .5em;
pointer-events: all;
}
.presets input.preset:checked ~ input.temp:checked {
opacity: 1 !important;
background-size: 100%;
}
.customizing input.preset:checked, #presets input.preset:checked, .customizer fieldset {
background-color: #ffb !important;
border-radius: 0.5em 0.5em 0 0;
margin: 0 0.06em 0.06em 0.06em;
}
.customizing input.preset:checked, #presets input.preset, #presets input.preset:checked {
margin: 0 1em -0.2em 1em;
border-radius: 0.5em 0.5em 0 0;
}
.customizing input.preset:checked + label.preset {
padding-left: 3em;
}
.customizing, .customizer {
background-color: #cca !important;
}
.customizer div {
transition: 0.2s height;
padding: 0;
margin: 0;
}
span.cap {
white-space: nowrap;
display: inline-block;
}
.customizer.closed .customizer-controls {
height: 0;
overflow: hidden;
}
span.cap {
padding: 0.5em;
font-weight: normal;
}
span.cap.needed {
font-weight: bold;
background-color: #c88;
}
fieldset {
border: 0;
padding: 1.5em 0.5em 0.5em 0.5em;
margin: 0;
position: relative;
}
legend {
font-weight: bold;
display: inline;
position: absolute;
top: 0.25em;
left: 1em;
white-space: nowrap;
}
.customizer legend {
font-weight: bold;
font-size: 0.75em;
}
#presets .https-only {
display: none;
}

661
src/ui/ui.js Normal file
View File

@ -0,0 +1,661 @@
'use strict';
var UI = (() => {
var UI = {
initialized: false,
presets: {
"DEFAULT": "Default",
"T_TRUSTED": "Trusted_temporary",
"TRUSTED": "Trusted_permanent",
"UNTRUSTED": "Untrusted",
"CUSTOM": "Custom",
},
async init(tabId = -1) {
UI.tabId = tabId;
let scripts = [
"/ui/ui.css",
"/lib/punycode.js",
"/lib/tld.js",
"/common/Policy.js",
];
this.mobile = !("windows" in browser);
if (this.mobile) {
document.documentElement.classList.toggle("mobile", true);
scripts.push("/lib/fastclick.js");
}
await include(scripts);
detectHighContrast();
let inited = new Promise(resolve => {
let listener = m => {
if (m.type === "settings") {
UI.policy = new Policy(m.policy);
UI.snapshot = UI.policy.snapshot;
UI.seen = m.seen;
UI.unrestrictedTab = m.unrestrictedTab;
UI.xssUserChoices = m.xssUserChoices;
UI.local = m.local;
UI.sync = m.sync;
if (UI.local && !UI.local.debug) {
debug = () => {}; // be quiet!
}
resolve();
if (UI.onSettings) UI.onSettings();
}
};
browser.runtime.onMessage.addListener(listener);
if (this.mobile) FastClick.attach(document.body);
UI.pullSettings();
});
await inited;
this.initialized = true;
debug("Imported", Policy);
},
async pullSettings() {
browser.runtime.sendMessage({type: "NoScript.broadcastSettings", tabId: UI.tabId});
},
async updateSettings({policy, xssUserChoices, unrestrictedTab, local, sync, reloadAffected}) {
if (policy) policy = policy.dry(true);
return await browser.runtime.sendMessage({type: "NoScript.updateSettings",
policy,
xssUserChoices,
unrestrictedTab,
local,
sync,
reloadAffected,
tabId: UI.tabId,
});
},
async exportSettings() {
return await browser.runtime.sendMessage({type: "NoScript.exportSettings"});
},
async importSettings(data) {
return await browser.runtime.sendMessage({type: "NoScript.importSettings", data});
},
async revokeTemp() {
let policy = this.policy;
Policy.hydrate(policy.dry(), policy);
if (this.isDirty(true)) {
await this.updateSettings({policy, reloadAffected: true});
}
},
isDirty(reset = false) {
let currentSnapshot = this.policy.snapshot;
let dirty = currentSnapshot != this.snapshot;
if (reset) this.snapshot = currentSnapshot;
return dirty;
},
async openSiteInfo(domain) {
let url = `/ui/siteInfo.html#${encodeURIComponent(domain)};${UI.tabId}`;
browser.tabs.create({url});
}
};
function detectHighContrast() {
// detect high contrast
let canary = document.createElement("input");
canary.className="https-only";
canary.style.display = "none";
document.body.appendChild(canary);
if (UI.highContrast = window.getComputedStyle(canary).backgroundImage === "none") {
include("/ui/ui-hc.css");
document.documentElement.classList.toggle("hc");
}
canary.parentNode.removeChild(canary);
}
function fireOnChange(sitesUI, data) {
if (UI.isDirty(true)) {
UI.updateSettings({policy: UI.policy});
if (sitesUI.onChange) sitesUI.onChange(data, this);
}
}
function compareBy(prop, a, b) {
let x = a[prop], y = b[prop];
return x > y ? 1 : x < y ? -1 : 0;
}
const TEMPLATE = `
<table class="sites">
<tr class="site">
<td class="presets">
<span class="preset">
<input id="preset" class="preset" type="radio" name="preset"><label for="preset" class="preset">PRESET</label>
<button class="options tiny"></button>
<input id="temp" class="temp" type="checkbox"><label for="temp">Temporary</input>
</span>
</td>
<td class="url" data-key="secure">
<input class="https-only" id="https-only" type="checkbox"><label for="https-only" class="https-only"></label>
<span class="full-address">
<span class="protocol">https://</span><span class="sub">www.</span><span class="domain">noscript.net</span><span class="path"></span>
</span>
</td>
</tr>
<tr class="customizer">
<td colspan="2">
<div class="customizer-controls">
<fieldset><legend></legend>
<span class="cap">
<input class="cap" type="checkbox" value="script" />
<label class="cap">script</label>
</span>
</fieldset>
</div>
</td>
</tr>
</table>
`;
const TEMP_PRESETS = ["CUSTOM"];
const DEF_PRESETS = {
// name: customizable,
"DEFAULT": false,
"T_TRUSTED": false,
"TRUSTED": false,
"UNTRUSTED": false,
"CUSTOM": true,
};
UI.Sites = class {
constructor(parentNode, presets = DEF_PRESETS) {
this.parentNode = parentNode;
let policy = UI.policy;
this.uiCount = UI.Sites.count = (UI.Sites.count || 0) + 1;
this.sites = policy.sites;
this.presets = presets;
this.customizing = null;
this.typesMap = new Map();
this.clear();
}
initRow(table = this.table) {
let row = table.querySelector("tr.site");
// PRESETS
{
let presets = row.querySelector(".presets");
let [span, input, label, options] = presets.querySelectorAll("span.preset, input.preset, label.preset, .options");
span.remove();
options.title = _("Options");
for (let [preset, customizable] of Object.entries(this.presets)) {
let messageKey = UI.presets[preset];
input.value = preset;
label.textContent = label.title = input.title = _(messageKey);
let clone = span.cloneNode(true);
clone.classList.add(preset);
let temp = clone.querySelector(".temp");
if (TEMP_PRESETS.includes(preset)) {
temp.title = _("allowTemp", `(${label.title.toUpperCase()})`);
temp.nextElementSibling.textContent = _("allowTemp", ""); // label;
} else {
temp.nextElementSibling.remove();
temp.remove();
}
if (customizable) {
clone.querySelector(".options").remove();
}
presets.appendChild(clone);
}
}
// URL
{
let [input, label] = row.querySelectorAll("input.https-only, label.https-only");
input.title = label.title = label.textContent = _("httpsOnly");
}
// CUSTOMIZER ROW
{
let [customizer, legend, cap, capInput, capLabel] = table.querySelectorAll(".customizer, legend, span.cap, input.cap, label.cap");
row._customizer = customizer;
customizer.remove();
let capParent = cap.parentNode;
capParent.removeChild(cap);
legend.textContent = _("allow");
let idSuffix = UI.Sites.count;
for (let capability of Permissions.ALL) {
capInput.id = `capability-${capability}-${idSuffix}`
capLabel.setAttribute("for", capInput.id);
capInput.value = capability;
capInput.title = capLabel.textContent = _(`cap_${capability}`);
let clone = capParent.appendChild(cap.cloneNode(true));
clone.classList.add(capability);
}
}
// debug(table.outerHTML);
return row;
}
allSiteRows() {
return this.table.querySelectorAll("tr.site");
}
clear() {
debug("Clearing list", this.table);
this.template = document.createElement("template");
this.template.innerHTML = TEMPLATE;
this.fragment = this.template.content;
this.table = this.fragment.querySelector("table.sites");
this.rowTemplate = this.initRow();
for (let r of this.allSiteRows()) {
r.parentNode.removeChild(r);
}
this.customize(null);
this.sitesCount = 0;
}
siteNeeds(site, type) {
let siteTypes = this.typesMap && this.typesMap.get(site);
return !!siteTypes && siteTypes.has(type);
}
handleEvent(ev) {
let target = ev.target;
let customizer = target.closest(".customizer");
let row = customizer ? customizer.parentNode.querySelector("tr.customizing") : target.closest("tr.site");
if (!row) return;
row.temp2perm = false;
let isTemp = target.matches("input.temp");
let preset = target.matches("input.preset") ? target
: customizer || isTemp ? row.querySelector("input.preset:checked")
: target.closest("input.preset");
debug("%s target %o\n\trow %s, perms %o\npreset %s %s",
ev.type,
target, row && row.siteMatch, row && row.perms,
preset && preset.value, preset && preset.checked);
if (!preset) {
if (target.matches("input.https-only") && ev.type === "change") {
this.toggleSecure(row, target.checked);
fireOnChange(this, row);
} else if (target.matches(".domain")) {
UI.openSiteInfo(row.domain);
}
return;
}
let policy = UI.policy;
let {siteMatch, contextMatch, perms} = row;
let presetValue = preset.value;
let policyPreset = presetValue.startsWith("T_") ? policy[presetValue.substring(2)].tempTwin : policy[presetValue];
if (policyPreset) {
if (row.perms !== policyPreset) {
row.temp2perm = row.perms && policyPreset.tempTwin === row.perms;
row.perms = policyPreset;
}
}
let isCap = customizer && target.matches(".cap");
let tempToggle = preset.parentNode.querySelector("input.temp");
if (ev.type === "change") {
if (preset.checked) {
row.dataset.preset = preset.value;
}
if (isCap) {
perms.set(target.value, target.checked);
} else if (policyPreset) {
if (tempToggle && tempToggle.checked) {
policyPreset = policyPreset.tempTwin;
}
row.contextMatch = null;
row.perms = policyPreset;
delete row._customPerms;
debug("Site match", siteMatch);
if (siteMatch) {
policy.set(siteMatch, policyPreset);
} else {
this.customize(policyPreset, preset, row);
}
} else if (preset.value === "CUSTOM") {
if (isTemp) {
row.perms.temp = target.checked;
} else {
let temp = preset.parentNode.querySelector("input.temp").checked;
let perms = row._customPerms ||
(row._customPerms = new Permissions(new Set(row.perms.capabilities), temp));
row.perms = perms;
policy.set(siteMatch, perms);
this.customize(perms, preset, row);
}
}
fireOnChange(this, row);
} else if (!(isCap || isTemp) && ev.type === "click") {
this.customize(row.perms, preset, row);
}
}
customize(perms, preset, row) {
debug("Customize preset %s (%o) - Dirty: %s", preset && preset.value, perms, this.dirty);
for(let r of this.table.querySelectorAll("tr.customizing")) {
r.classList.toggle("customizing", false);
}
let customizer = this.rowTemplate._customizer;
customizer.classList.toggle("closed", true);
if (!(perms && row && preset &&
row.dataset.preset === preset.value &&
this.presets[preset.value] &&
preset !== customizer._preset)) {
delete customizer._preset;
return;
}
customizer._preset = preset;
row.classList.toggle("customizing", true);
let immutable = Permissions.IMMUTABLE[preset.value] || {};
for (let input of customizer.querySelectorAll("input")) {
let type = input.value;
if (type in immutable) {
input.disabled = true;
input.checked = immutable[type];
} else {
input.checked = perms.allowing(type);
input.disabled = false;
}
input.parentNode.classList.toggle("needed", this.siteNeeds(row._site, type));
row.parentNode.insertBefore(customizer, row.nextElementSibling);
customizer.classList.toggle("closed", false);
customizer.onkeydown = e => {
switch(e.keyCode) {
case 38:
case 8:
e.preventDefault();
this.onkeydown = null;
this.customize(null);
preset.focus();
return false;
}
}
window.setTimeout(() => customizer.querySelector("input").focus(), 50);
}
}
render(sites = this.sites, sorter = this.sorter) {
let parentNode = this.parentNode;
debug("Rendering %o inside %o", sites, parentNode);
if (sites) this._populate(sites, sorter);
parentNode.innerHTML = "";
parentNode.appendChild(this.fragment);
let root = parentNode.querySelector("table.sites");
debug("Wiring", root);
if (!root.wiredBy) {
root.addEventListener("click", this, true);
root.addEventListener("change", this, true);
root.wiredBy = this;
}
return root;
}
_populate(sites, sorter) {
this.clear();
if (sites instanceof Sites) {
for (let [site, perms] of sites) {
this.append(site, site, perms);
}
} else {
for (let site of sites) {
let context = null;
if (site.site) {
site = site.site;
context = site.context;
}
let {siteMatch, perms, contextMatch} = UI.policy.get(site, context);
this.append(site, siteMatch, perms, contextMatch);
}
this.sites = sites;
}
this.sort(sorter);
window.setTimeout(() => this.focus(), 50);
}
focus() {
let firstPreset = this.table.querySelector("input.preset:checked");
if (firstPreset) firstPreset.focus();
}
sort(sorter = this.sorter) {
if (this.mainDomain) {
let md = this.mainDomain;
let wrappedCompare = sorter;
sorter = (a, b) => {
let x = a.domain, y = b.domain;
if (x === md) {
if (y !== md) {
return -1;
}
} else if (y === md) {
return 1;
}
return wrappedCompare(a, b);
}
}
let rows = [...this.allSiteRows()].sort(sorter);
if (this.mainSite) {
let mainLabel = "." + this.mainDomain;
let topIdx = rows.findIndex(r => r._label === mainLabel);
if (topIdx === -1) rows.findIndex(r => r._site === this.mainSite);
if (topIdx !== -1) {
// move the row to the top
let topRow = rows.splice(topIdx, 1)[0];
rows.unshift(topRow);
topRow.classList.toggle("main", true);
}
}
this.clear();
for (let row of rows) this.table.appendChild(row);
this.table.appendChild(this.rowTemplate._customizer);
}
sorter(a, b) {
return compareBy("domain", a, b) || compareBy("_label", a, b);
}
async tempTrustAll() {
let {policy} = UI;
let changed = 0;
for (let row of this.allSiteRows()) {
if (row._preset === "DEFAULT") {
policy.set(row._site, policy.TRUSTED.tempTwin);
changed++;
}
}
if (changed && UI.isDirty(true)) {
await UI.updateSettings({policy, reloadAffected: true});
}
return changed;
}
createSiteRow(site, siteMatch, perms, contextMatch = null, sitesCount = this.sitesCount++) {
debug("Creating row for site: %s, matching %s / %s, %o", site, siteMatch, contextMatch, perms);
let row = this.rowTemplate.cloneNode(true);
row.sitesCount = sitesCount;
let url;
try {
url = new URL(site);
} catch (e) {
let protocol = Sites.isSecureDomainKey(site) ? "https:" : "http:";
let hostname = Sites.toggleSecureDomainKey(site, false);
url = {protocol, hostname, origin: `${protocol}://${site}`, pathname: "/"};
}
let hostname = Sites.toExternal(url.hostname);
let domain = tld.getDomain(hostname);
if (!siteMatch) {
// siteMatch = url.protocol === "https:" ? Sites.secureDomainKey(domain) : site;
siteMatch = site;
}
let secure = Sites.isSecureDomainKey(siteMatch);
let keyStyle = secure ? "secure"
: !domain || /^\w+:/.test(siteMatch) ?
(url.protocol === "https:" ? "full" : "unsafe")
: domain === hostname ? "domain" : "host";
let urlContainer = row.querySelector(".url");
urlContainer.dataset.key = keyStyle;
row._site = site;
row.siteMatch = siteMatch;
row.contextMatch = contextMatch;
row.perms = perms;
row.domain = domain || siteMatch;
if (domain) { // "normal" URL
let justDomain = hostname === domain;
let domainEntry = secure || domain === site;
row._label = domainEntry ? "." + domain : site;
row.querySelector(".protocol").textContent = `${url.protocol}//`;
row.querySelector(".sub").textContent = justDomain ?
(keyStyle === "full" || keyStyle == "unsafe"
? "" : "…")
: hostname.substring(0, hostname.length - domain.length);
row.querySelector(".domain").textContent = domain;
row.querySelector(".path").textContent = siteMatch.length > url.origin.length ? url.pathname : "";
let httpsOnly = row.querySelector("input.https-only");
httpsOnly.checked = keyStyle === "full" || keyStyle === "secure";
} else {
row._label = siteMatch;
urlContainer.querySelector(".full-address").textContent = siteMatch;
}
let presets = row.querySelectorAll("input.preset");
let idSuffix = `-${this.uiCount}-${sitesCount}`;
for (let p of presets) {
p.id = `${p.value}${idSuffix}`;
p.name = `preset${idSuffix}`;
let label = p.nextElementSibling;
label.setAttribute("for", p.id);
let temp = p.parentNode.querySelector("input.temp");
if (temp) {
temp.id = `temp-${p.id}`;
label = temp.nextElementSibling;
label.setAttribute("for", temp.id);
}
}
let policy = UI.policy;
let presetName = "CUSTOM";
for (let p of ["TRUSTED", "UNTRUSTED", "DEFAULT"]) {
let preset = policy[p];
switch (perms) {
case preset:
presetName = p;
break;
case preset.tempTwin:
presetName = `T_${p}`;
if (!presetName in UI.presets) {
presetName = p;
}
break;
}
}
let tempFirst = true; // TODO: make it a preference
let unsafeMatch = keyStyle !== "secure" && keyStyle !== "full";
if (presetName === "DEFAULT" && (tempFirst || unsafeMatch)) {
// prioritize temporary privileges over permanent
for (let p of TEMP_PRESETS) {
if (p in this.presets && (unsafeMatch || tempFirst && p === "TRUSTED")) {
row.querySelector(`.presets input[value="${p}"]`).parentNode.querySelector("input.temp").checked = true;
perms = policy.TRUSTED.tempTwin;
}
}
}
let preset = row.querySelector(`.presets input[value="${presetName}"]`);
if (!preset) {
debug(`Preset %s not found in %s!`, presetName, row.innerHTML);
} else {
preset.checked = true;
row.dataset.preset = row._preset = presetName;
if (TEMP_PRESETS.includes(presetName)) {
let temp = preset.parentNode.querySelector("input.temp");
if (temp) {
temp.checked = perms.temp;
}
}
}
return row;
}
append(site, siteMatch, perms, contextMatch) {
this.table.appendChild(this.createSiteRow(...arguments));
}
toggleSecure(row, secure = !!row.querySelector("https-only:checked")) {
this.customize(null);
let site = row.siteMatch;
site = site.replace(/^https?:/, secure ? "https:" : "http:");
if (site === row.siteMatch) {
site = Sites.toggleSecureDomainKey(site, secure);
}
if (site !== row.siteMatch) {
let {policy} = UI;
policy.set(row.siteMatch, policy.DEFAULT);
policy.set(site, row.perms);
for(let r of this.allSiteRows()) {
if (r !== row && r.siteMatch === site && r.contextMatch === row.contextMatch) {
r.parentNode.removeChild(r);
}
}
let newRow = this.createSiteRow(site, site, row.perms, row.contextMatch, row.sitesCount);
row.parentNode.replaceChild(newRow, row);
}
}
highlight(key) {
key = Sites.toExternal(key);
for (let r of this.allSiteRows()) {
if (r.querySelector(".full-address").textContent.trim().includes(key)) {
let url = r.lastElementChild;
url.style.transition = r.style.transition = "none";
r.style.backgroundColor = "#850";
url.style.transform = "scale(2)";
r.querySelector("input.preset:checked").focus();
window.setTimeout(() => {
r.style.transition = "1s background-color";
url.style.transition = "1s transform";
r.style.backgroundColor = "";
url.style.transform = "none";
r.scrollIntoView();
}, 50);
}
}
}
filterSites(key) {
key = Sites.toExternal(key);
for (let r of this.allSiteRows()) {
if (r.querySelector(".full-address").textContent.trim().includes(key)) {
r.style.display = "";
} else {
r.style.display = "none";
}
}
}
}
return UI;
})();

45
src/ui/whirlpool.css Normal file
View File

@ -0,0 +1,45 @@
.cssload-container{
position:relative;
}
.cssload-whirlpool,
.cssload-whirlpool::before,
.cssload-whirlpool::after {
position: absolute;
top: 50%;
left: 50%;
border: 1px solid rgb(204,204,204);
border-left-color: rgb(0,0,0);
border-radius: 974px;
}
.cssload-whirlpool {
margin: -24px 0 0 -24px;
height: 49px;
width: 49px;
animation: cssload-rotate 1150ms linear infinite;
}
.cssload-whirlpool::before {
content: "";
margin: -22px 0 0 -22px;
height: 43px;
width: 43px;
animation: cssload-rotate 1150ms linear infinite;
}
.cssload-whirlpool::after {
content: "";
margin: -28px 0 0 -28px;
height: 55px;
width: 55px;
animation: cssload-rotate 2300ms linear infinite;
}
@keyframes cssload-rotate {
100% {
transform: rotate(360deg);
}
}

638
src/xss/ASPIdiocy.js Normal file
View File

@ -0,0 +1,638 @@
'use strict';
var ASPIdiocy = XSS.ASPIdiocy = {
_replaceRx: /%u([0-9a-fA-F]{4})/g,
_affectsRx: /%u[0-9a-fA-F]{4}/,
_badPercentRx: /%(?!u[0-9a-fA-F]{4}|[0-9a-fA-F]{2})|%(?:00|u0000)[^&=]*/g,
hasBadPercents(s) {
return this._badPercentRx.test(s)
},
removeBadPercents(s) {
return s.replace(this._badPercentRx, '');
},
affects(s) {
return this._affectsRx.test(s);
},
process(s) {
s = this.filter(s);
return /[\uff5f-\uffff]/.test(s) ? s + '&' + s.replace(/[\uff5f-\uffff]/g, '?') : s;
},
filter(s) {
return this.removeBadPercents(s).replace(this._replaceRx, this._replace)
},
coalesceQuery(s) { // HPP protection, see https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
let qm = s.indexOf("?");
if (qm < 0) return s;
let p = s.substring(0, qm);
let q = s.substring(qm + 1);
if (!q) return s;
let unchanged = true;
let emptyParams = false;
let pairs = (function rearrange(joinNames) {
let pairs = q.split("&");
let accumulator = {
__proto__: null
};
for (let j = 0, len = pairs.length; j < len; j++) {
let nv = pairs[j];
let eq = nv.indexOf("=");
if (eq === -1) {
emptyParams = true;
if (joinNames && j < len - 1) {
pairs[j + 1] = nv + "&" + pairs[j + 1];
delete pairs[j];
}
continue;
}
let key = "#" + unescape(nv.substring(0, eq)).toLowerCase();
if (key in accumulator) {
delete pairs[j];
pairs[accumulator[key]] += ", " + nv.substring(eq + 1);
unchanged = false;
} else {
accumulator[key] = j;
}
}
return (emptyParams && !(unchanged || joinNames)) ?
pairs.concat(rearrange(true).filter(p => pairs.indexOf(p) === -1)) :
pairs;
})();
if (unchanged) return s;
for (let j = pairs.length; j-- > 0;)
if (!pairs[j]) pairs.splice(j, 1);
return p + pairs.join("&");
},
_replace(match, hex) {
const k = parseInt(hex, 16);
const map = ASPIdiocy.map;
if (k in map) return map[k];
const range = ASPIdiocy._findRange(k);
return range && range.data || String.fromCharCode(k);
},
_findRange(k) {
const ranges = this.ranges;
for (let low = 0, high = ranges.length - 1; low <= high;) {
let i = parseInt((low + high) / 2);
let r = ranges[i];
let comparison = k < r.start ? 1 : k > r.end ? -1 : 0;
if (comparison < 0) low = i + 1;
else if (comparison > 0) high = i - 1;
else return r;
}
return null;
}
}
XSS.ASPIdiocy.map = {
0x100: "\x41",
0x101: "\x61",
0x102: "\x41",
0x103: "\x61",
0x104: "\x41",
0x105: "\x61",
0x106: "\x43",
0x107: "\x63",
0x108: "\x43",
0x109: "\x63",
0x10a: "\x43",
0x10b: "\x63",
0x10c: "\x43",
0x10d: "\x63",
0x10e: "\x44",
0x10f: "\x64",
0x110: "\ufffd",
0x111: "\x64",
0x112: "\x45",
0x113: "\x65",
0x114: "\x45",
0x115: "\x65",
0x116: "\x45",
0x117: "\x65",
0x118: "\x45",
0x119: "\x65",
0x11a: "\x45",
0x11b: "\x65",
0x11c: "\x47",
0x11d: "\x67",
0x11e: "\x47",
0x11f: "\x67",
0x120: "\x47",
0x121: "\x67",
0x122: "\x47",
0x123: "\x67",
0x124: "\x48",
0x125: "\x68",
0x126: "\x48",
0x127: "\x68",
0x128: "\x49",
0x129: "\x69",
0x12a: "\x49",
0x12b: "\x69",
0x12c: "\x49",
0x12d: "\x69",
0x12e: "\x49",
0x12f: "\x69",
0x130: "\x49",
0x131: "\x69",
0x134: "\x4a",
0x135: "\x6a",
0x136: "\x4b",
0x137: "\x6b",
0x138: "\x3f",
0x139: "\x4c",
0x13a: "\x6c",
0x13b: "\x4c",
0x13c: "\x6c",
0x13d: "\x4c",
0x13e: "\x6c",
0x141: "\x4c",
0x142: "\x6c",
0x143: "\x4e",
0x144: "\x6e",
0x145: "\x4e",
0x146: "\x6e",
0x147: "\x4e",
0x148: "\x6e",
0x14c: "\x4f",
0x14d: "\x6f",
0x14e: "\x4f",
0x14f: "\x6f",
0x150: "\x4f",
0x151: "\x6f",
0x154: "\x52",
0x155: "\x72",
0x156: "\x52",
0x157: "\x72",
0x158: "\x52",
0x159: "\x72",
0x15a: "\x53",
0x15b: "\x73",
0x15c: "\x53",
0x15d: "\x73",
0x15e: "\x53",
0x15f: "\x73",
0x162: "\x54",
0x163: "\x74",
0x164: "\x54",
0x165: "\x74",
0x166: "\x54",
0x167: "\x74",
0x168: "\x55",
0x169: "\x75",
0x16a: "\x55",
0x16b: "\x75",
0x16c: "\x55",
0x16d: "\x75",
0x16e: "\x55",
0x16f: "\x75",
0x170: "\x55",
0x171: "\x75",
0x172: "\x55",
0x173: "\x75",
0x174: "\x57",
0x175: "\x77",
0x176: "\x59",
0x177: "\x79",
0x178: "\ufffd",
0x179: "\x5a",
0x17a: "\x7a",
0x17b: "\x5a",
0x17c: "\x7a",
0x17f: "\x3f",
0x180: "\x62",
0x189: "\ufffd",
0x197: "\x49",
0x19a: "\x6c",
0x1a1: "\x6f",
0x1ab: "\x74",
0x1ae: "\x54",
0x1af: "\x55",
0x1b0: "\x75",
0x1b6: "\x7a",
0x1c0: "\x7c",
0x1c3: "\x21",
0x1cd: "\x41",
0x1ce: "\x61",
0x1cf: "\x49",
0x1d0: "\x69",
0x1d1: "\x4f",
0x1d2: "\x6f",
0x1d3: "\x55",
0x1d4: "\x75",
0x1d5: "\x55",
0x1d6: "\x75",
0x1d7: "\x55",
0x1d8: "\x75",
0x1d9: "\x55",
0x1da: "\x75",
0x1db: "\x55",
0x1dc: "\x75",
0x1dd: "\x3f",
0x1de: "\x41",
0x1df: "\x61",
0x1e4: "\x47",
0x1e5: "\x67",
0x1e6: "\x47",
0x1e7: "\x67",
0x1e8: "\x4b",
0x1e9: "\x6b",
0x1ea: "\x4f",
0x1eb: "\x6f",
0x1ec: "\x4f",
0x1ed: "\x6f",
0x1f0: "\x6a",
0x261: "\x67",
0x2b9: "\x27",
0x2ba: "\x22",
0x2bb: "\x3f",
0x2bc: "\x27",
0x2c4: "\x5e",
0x2c5: "\x3f",
0x2c6: "\ufffd",
0x2c7: "\x3f",
0x2c8: "\x27",
0x2cb: "\x60",
0x2cc: "\x3f",
0x2cd: "\x5f",
0x2da: "\ufffd",
0x2db: "\x3f",
0x2dc: "\ufffd",
0x300: "\x60",
0x301: "\ufffd",
0x302: "\x5e",
0x303: "\x7e",
0x308: "\ufffd",
0x309: "\x3f",
0x30a: "\ufffd",
0x30e: "\x22",
0x327: "\ufffd",
0x37e: "\x3b",
0x393: "\x47",
0x398: "\x54",
0x3a3: "\x53",
0x3a6: "\x46",
0x3a9: "\x4f",
0x3b1: "\x61",
0x3b2: "\ufffd",
0x3b3: "\x3f",
0x3b4: "\x64",
0x3b5: "\x65",
0x3bc: "\ufffd",
0x3c0: "\x70",
0x3c3: "\x73",
0x3c4: "\x74",
0x3c5: "\x3f",
0x3c6: "\x66",
0x4bb: "\x68",
0x589: "\x3a",
0x66a: "\x25",
0x2012: "\x3f",
0x2017: "\x3d",
0x201b: "\x3f",
0x201f: "\x3f",
0x2023: "\x3f",
0x2024: "\ufffd",
0x2025: "\x3f",
0x2026: "\ufffd",
0x2030: "\ufffd",
0x2031: "\x3f",
0x2032: "\x27",
0x2035: "\x60",
0x2044: "\x2f",
0x2070: "\ufffd",
0x2074: "\x34",
0x2075: "\x35",
0x2076: "\x36",
0x2077: "\x37",
0x2078: "\x38",
0x207f: "\x6e",
0x2080: "\x30",
0x2081: "\x31",
0x2082: "\x32",
0x2083: "\x33",
0x2084: "\x34",
0x2085: "\x35",
0x2086: "\x36",
0x2087: "\x37",
0x2088: "\x38",
0x2089: "\x39",
0x20a1: "\ufffd",
0x20a4: "\ufffd",
0x20a7: "\x50",
0x20ac: "\ufffd",
0x2102: "\x43",
0x2107: "\x45",
0x210a: "\x67",
0x210e: "\x68",
0x210f: "\x3f",
0x2112: "\x4c",
0x2113: "\x6c",
0x2114: "\x3f",
0x2115: "\x4e",
0x211a: "\x51",
0x2122: "\ufffd",
0x2123: "\x3f",
0x2124: "\x5a",
0x2128: "\x5a",
0x2129: "\x3f",
0x212a: "\x4b",
0x212b: "\ufffd",
0x212c: "\x42",
0x212d: "\x43",
0x2130: "\x45",
0x2131: "\x46",
0x2132: "\x3f",
0x2133: "\x4d",
0x2134: "\x6f",
0x2205: "\ufffd",
0x2212: "\x2d",
0x2213: "\ufffd",
0x2214: "\x3f",
0x2215: "\x2f",
0x2216: "\x5c",
0x2217: "\x2a",
0x221a: "\x76",
0x221e: "\x38",
0x2223: "\x7c",
0x2229: "\x6e",
0x2236: "\x3a",
0x223c: "\x7e",
0x2248: "\ufffd",
0x2261: "\x3d",
0x22c5: "\ufffd",
0x2302: "\ufffd",
0x2303: "\x5e",
0x2310: "\ufffd",
0x2320: "\x28",
0x2321: "\x29",
0x2329: "\x3c",
0x232a: "\x3e",
0x2500: "\x2d",
0x2501: "\x3f",
0x2502: "\ufffd",
0x250c: "\x2b",
0x2510: "\x2b",
0x2514: "\x2b",
0x2518: "\x2b",
0x251c: "\x2b",
0x2524: "\ufffd",
0x252c: "\x2d",
0x2534: "\x2d",
0x253c: "\x2b",
0x2550: "\x2d",
0x2551: "\ufffd",
0x2580: "\ufffd",
0x2584: "\x5f",
0x2588: "\ufffd",
0x258c: "\ufffd",
0x25a0: "\ufffd",
0x263c: "\ufffd",
0x2758: "\x7c",
0x3000: "\x20",
0x3008: "\x3c",
0x3009: "\x3e",
0x301a: "\x5b",
0x301b: "\x5d",
0x30fb: "\ufffd",
0xff01: "\x21",
0xff02: "\x22",
0xff03: "\x23",
0xff04: "\x24",
0xff05: "\x25",
0xff06: "\x26",
0xff07: "\x27",
0xff08: "\x28",
0xff09: "\x29",
0xff0a: "\x2a",
0xff0b: "\x2b",
0xff0c: "\x2c",
0xff0d: "\x2d",
0xff0e: "\x2e",
0xff0f: "\x2f",
0xff10: "\x30",
0xff11: "\x31",
0xff12: "\x32",
0xff13: "\x33",
0xff14: "\x34",
0xff15: "\x35",
0xff16: "\x36",
0xff17: "\x37",
0xff18: "\x38",
0xff19: "\x39",
0xff1a: "\x3a",
0xff1b: "\x3b",
0xff1c: "\x3c",
0xff1d: "\x3d",
0xff1e: "\x3e",
0xff1f: "\x3f",
0xff20: "\x40",
0xff21: "\x41",
0xff22: "\x42",
0xff23: "\x43",
0xff24: "\x44",
0xff25: "\x45",
0xff26: "\x46",
0xff27: "\x47",
0xff28: "\x48",
0xff29: "\x49",
0xff2a: "\x4a",
0xff2b: "\x4b",
0xff2c: "\x4c",
0xff2d: "\x4d",
0xff2e: "\x4e",
0xff2f: "\x4f",
0xff30: "\x50",
0xff31: "\x51",
0xff32: "\x52",
0xff33: "\x53",
0xff34: "\x54",
0xff35: "\x55",
0xff36: "\x56",
0xff37: "\x57",
0xff38: "\x58",
0xff39: "\x59",
0xff3a: "\x5a",
0xff3b: "\x5b",
0xff3c: "\x5c",
0xff3d: "\x5d",
0xff3e: "\x5e",
0xff3f: "\x5f",
0xff40: "\x60",
0xff41: "\x61",
0xff42: "\x62",
0xff43: "\x63",
0xff44: "\x64",
0xff45: "\x65",
0xff46: "\x66",
0xff47: "\x67",
0xff48: "\x68",
0xff49: "\x69",
0xff4a: "\x6a",
0xff4b: "\x6b",
0xff4c: "\x6c",
0xff4d: "\x6d",
0xff4e: "\x6e",
0xff4f: "\x6f",
0xff50: "\x70",
0xff51: "\x71",
0xff52: "\x72",
0xff53: "\x73",
0xff54: "\x74",
0xff55: "\x75",
0xff56: "\x76",
0xff57: "\x77",
0xff58: "\x78",
0xff59: "\x79",
0xff5a: "\x7a",
0xff5b: "\x7b",
0xff5c: "\x7c",
0xff5d: "\x7d",
0xff5e: "\x7e"
};
{
let Range = class {
constructor(start, end, data) {
this.start = start;
this.end = end;
this.data = data;
}
};
XSS.ASPIdiocy.ranges = [
new Range(0x80, 0xff, "\ufffd"),
new Range(0x132, 0x133, "\x3f"),
new Range(0x13f, 0x140, "\x3f"),
new Range(0x149, 0x14b, "\x3f"),
new Range(0x152, 0x153, "\ufffd"),
new Range(0x160, 0x161, "\ufffd"),
new Range(0x17d, 0x17e, "\ufffd"),
new Range(0x181, 0x188, "\x3f"),
new Range(0x18a, 0x190, "\x3f"),
new Range(0x191, 0x192, "\ufffd"),
new Range(0x193, 0x196, "\x3f"),
new Range(0x198, 0x199, "\x3f"),
new Range(0x19b, 0x19e, "\x3f"),
new Range(0x19f, 0x1a0, "\x4f"),
new Range(0x1a2, 0x1aa, "\x3f"),
new Range(0x1ac, 0x1ad, "\x3f"),
new Range(0x1b1, 0x1b5, "\x3f"),
new Range(0x1b7, 0x1bf, "\x3f"),
new Range(0x1c1, 0x1c2, "\x3f"),
new Range(0x1c4, 0x1cc, "\x3f"),
new Range(0x1e0, 0x1e3, "\x3f"),
new Range(0x1ee, 0x1ef, "\x3f"),
new Range(0x1f1, 0x260, "\x3f"),
new Range(0x262, 0x2b8, "\x3f"),
new Range(0x2bd, 0x2c3, "\x3f"),
new Range(0x2c9, 0x2ca, "\ufffd"),
new Range(0x2ce, 0x2d9, "\x3f"),
new Range(0x2dd, 0x2ff, "\x3f"),
new Range(0x304, 0x305, "\ufffd"),
new Range(0x306, 0x307, "\x3f"),
new Range(0x30b, 0x30d, "\x3f"),
new Range(0x30f, 0x326, "\x3f"),
new Range(0x328, 0x330, "\x3f"),
new Range(0x331, 0x332, "\x5f"),
new Range(0x333, 0x37d, "\x3f"),
new Range(0x37f, 0x392, "\x3f"),
new Range(0x394, 0x397, "\x3f"),
new Range(0x399, 0x3a2, "\x3f"),
new Range(0x3a4, 0x3a5, "\x3f"),
new Range(0x3a7, 0x3a8, "\x3f"),
new Range(0x3aa, 0x3b0, "\x3f"),
new Range(0x3b6, 0x3bb, "\x3f"),
new Range(0x3bd, 0x3bf, "\x3f"),
new Range(0x3c1, 0x3c2, "\x3f"),
new Range(0x3c7, 0x4ba, "\x3f"),
new Range(0x4bc, 0x588, "\x3f"),
new Range(0x58a, 0x669, "\x3f"),
new Range(0x66b, 0x1fff, "\x3f"),
new Range(0x2000, 0x2006, "\x20"),
new Range(0x2007, 0x200f, "\x3f"),
new Range(0x2010, 0x2011, "\x2d"),
new Range(0x2013, 0x2014, "\ufffd"),
new Range(0x2015, 0x2016, "\x3f"),
new Range(0x2018, 0x201a, "\ufffd"),
new Range(0x201c, 0x201e, "\ufffd"),
new Range(0x2020, 0x2022, "\ufffd"),
new Range(0x2027, 0x202f, "\x3f"),
new Range(0x2033, 0x2034, "\x3f"),
new Range(0x2036, 0x2038, "\x3f"),
new Range(0x2039, 0x203a, "\ufffd"),
new Range(0x203b, 0x2043, "\x3f"),
new Range(0x2045, 0x206f, "\x3f"),
new Range(0x2071, 0x2073, "\x3f"),
new Range(0x2079, 0x207e, "\x3f"),
new Range(0x208a, 0x20a0, "\x3f"),
new Range(0x20a2, 0x20a3, "\x3f"),
new Range(0x20a5, 0x20a6, "\x3f"),
new Range(0x20a8, 0x20ab, "\x3f"),
new Range(0x20ad, 0x2101, "\x3f"),
new Range(0x2103, 0x2106, "\x3f"),
new Range(0x2108, 0x2109, "\x3f"),
new Range(0x210b, 0x210d, "\x48"),
new Range(0x2110, 0x2111, "\x49"),
new Range(0x2116, 0x2117, "\x3f"),
new Range(0x2118, 0x2119, "\x50"),
new Range(0x211b, 0x211d, "\x52"),
new Range(0x211e, 0x2121, "\x3f"),
new Range(0x2125, 0x2127, "\x3f"),
new Range(0x212e, 0x212f, "\x65"),
new Range(0x2135, 0x2204, "\x3f"),
new Range(0x2206, 0x2211, "\x3f"),
new Range(0x2218, 0x2219, "\ufffd"),
new Range(0x221b, 0x221d, "\x3f"),
new Range(0x221f, 0x2222, "\x3f"),
new Range(0x2224, 0x2228, "\x3f"),
new Range(0x222a, 0x2235, "\x3f"),
new Range(0x2237, 0x223b, "\x3f"),
new Range(0x223d, 0x2247, "\x3f"),
new Range(0x2249, 0x2260, "\x3f"),
new Range(0x2262, 0x2263, "\x3f"),
new Range(0x2264, 0x2265, "\x3d"),
new Range(0x2266, 0x2269, "\x3f"),
new Range(0x226a, 0x226b, "\ufffd"),
new Range(0x226c, 0x22c4, "\x3f"),
new Range(0x22c6, 0x2301, "\x3f"),
new Range(0x2304, 0x230f, "\x3f"),
new Range(0x2311, 0x231f, "\x3f"),
new Range(0x2322, 0x2328, "\x3f"),
new Range(0x232b, 0x24ff, "\x3f"),
new Range(0x2503, 0x250b, "\x3f"),
new Range(0x250d, 0x250f, "\x3f"),
new Range(0x2511, 0x2513, "\x3f"),
new Range(0x2515, 0x2517, "\x3f"),
new Range(0x2519, 0x251b, "\x3f"),
new Range(0x251d, 0x2523, "\x3f"),
new Range(0x2525, 0x252b, "\x3f"),
new Range(0x252d, 0x2533, "\x3f"),
new Range(0x2535, 0x253b, "\x3f"),
new Range(0x253d, 0x254f, "\x3f"),
new Range(0x2552, 0x255d, "\x2b"),
new Range(0x255e, 0x2563, "\ufffd"),
new Range(0x2564, 0x2569, "\x2d"),
new Range(0x256a, 0x256c, "\x2b"),
new Range(0x256d, 0x257f, "\x3f"),
new Range(0x2581, 0x2583, "\x3f"),
new Range(0x2585, 0x2587, "\x3f"),
new Range(0x2589, 0x258b, "\x3f"),
new Range(0x258d, 0x258f, "\x3f"),
new Range(0x2590, 0x2593, "\ufffd"),
new Range(0x2594, 0x259f, "\x3f"),
new Range(0x25a1, 0x263b, "\x3f"),
new Range(0x263d, 0x2757, "\x3f"),
new Range(0x2759, 0x2fff, "\x3f"),
new Range(0x3001, 0x3007, "\x3f"),
new Range(0x300a, 0x300b, "\ufffd"),
new Range(0x300c, 0x3019, "\x3f"),
new Range(0x301c, 0x30fa, "\x3f"),
new Range(0x30fc, 0xff00, "\x3f")
];
}

238
src/xss/Exceptions.js Normal file
View File

@ -0,0 +1,238 @@
'use strict';
XSS.Exceptions = (() => {
var Exceptions = {
get legacyExceptions() {
delete this.legacyExceptions;
this.legacyExceptions =
Legacy.getRxPref("filterXExceptions",
Legacy.RX.multi, "g", /^https?:[a-z:/@.?-]*$/i);
return this.legacyExceptions;
},
async getWhitelist() {
return (await Storage.get("sync", "xssWhitelist")).xssWhitelist;
},
async setWhitelist(xssWhitelist) {
await Storage.set("sync", {xssWhitelist});
},
async shouldIgnore(xssReq) {
function logEx(...args) {
debug("[XSS preprocessing] Ignoring %o", xssReq, ...args);
}
let {
srcObj,
destObj,
srcUrl,
destUrl,
srcOrigin,
destOrigin,
unescapedDest,
isGet,
isPost
} = xssReq;
// same srcUrl
if (srcOrigin === destOrigin) {
return true;
}
// same domain + https: source
if (/^https:/.test(srcOrigin) && xssReq.srcDomain === xssReq.destDomain) {
return true;
}
if (/^(?:chrome|resource|moz-extension|about):/.test(srcOrigin)) {
debug("Privileged origin", srcOrigin);
}
// destination or @source matching legacy regexp
if (this.legacyExceptions.test(unescapedDest) &&
!this.isBadException(destObj.hostname) ||
this.legacyExceptions.test("@" + unescape(srcUrl))) {
logEx("Legacy exception", this.legacyExceptions);
return true;
}
if (!srcObj && isGet) {
if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) {
return true; // MSDN from Microsoft VS
}
}
if (srcOrigin) { // srcUrl-specific exceptions
if (/^about:(?!blank)/.test(srcOrigin))
return true; // any about: URL except about:blank
if (srcOrigin === "https://www.youtube.com" &&
/^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl) &&
Legacy.getPref("filterXExceptions.yt_comments")
) {
logEx("YouTube comments exception");
return true;
}
if (isPost) {
if (srcOrigin === "https://sso.post.ch" && destOrigin === "https://app.swisspost.ch") {
return true;
}
if (srcOrigin === "https://twitter.com" && /^https:\/\/.*\.twitter\.com$/.test(destOrigin)) {
return true;
}
{
let rx = /^https:\/\/(?:[a-z]+\.)?unionbank\.com$/;
if (rx.test(srcOrigin) && rx.test(destOrigin)) {
return true;
}
}
if (/^https?:\/\/csr\.ebay\.(?:\w{2,3}|co\.uk)\/cse\/start\.jsf$/.test(srcUrl) &&
/^https?:\/\/msa-lfn\.ebay\.(?:\w{2,3}|co\.uk)\/ws\/eBayISAPI\.dll\?[^<'"%]*$/.test(unescapedDest) &&
destObj.protocol === srcObj.protocol &&
Legacy.getPref("filterXException.ebay")) {
logEx("Ebay exception");
return true;
}
if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.(?:l[tv]|com))$/.test(srcUrl) &&
Legacy.getPref("filterXException.visa")) {
logEx("Verified by Visa exception");
return true;
}
if (/\.verizon\.com$/.test(srcOrigin) &&
/^https:\/\/signin\.verizon\.com\/sso\/authsso\/forumLogin\.jsp$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.verizon")) {
logEx("Verizon login exception");
return true;
}
if (/^https?:\/\/mail\.lycos\.com\/lycos\/mail\/MailCompose\.lycos$/.test(srcUrl) &&
/\.lycosmail\.lycos\.com$/.test(destOrigin) &&
Legacy.getPref("filterXExceptions.lycosmail")) {
logEx("Lycos Mail exception");
return true;
}
if (/\.livejournal\.com$/.test(srcOrigin) &&
/^https?:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.livejournal")) {
logEx("Livejournal comments exception");
return true;
}
if (srcOrigin == "https://ssl.rapidshare.com" &&
xssReq.srcDomain == "rapidshare.com") {
logEx("Rapidshare upload exception");
return true;
}
if (srcOrigin == "http://wm.letitbit.net" &&
/^http:\/\/http\.letitbit\.net:81\/cgi-bin\/multi\/upload\.cgi\?/.test(destUrl) &&
Legacy.getPref("filterXExceptions.letitibit")
) {
logEx("letitbit.net upload exception");
return true;
}
if (/\.deviantart\.com$/.test(srcOrigin) &&
/^http:\/\/my\.deviantart\.com\/journal\/update\b/.test(destUrl) &&
Legacy.getPref("filterXExceptions.deviantart")
) {
logEx("deviantart.com journal post exception");
return true;
}
if (srcOrigin == "https://www.mymedicare.gov" &&
destOrigin == "https://myporal.medicare.gov" &&
Legacy.getPref("filterXExceptions.medicare")
) {
logEx("mymedicare.gov exception");
return true;
}
if (/^https?:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
/^https?:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl) &&
Legacy.getPref("filterXExceptions.blogspot")
) {
logEx("blogspot.com template preview exception");
return true;
}
if (/^https?:\/\/www\.readability\.com\/articles\/queue$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.readability")) {
logEx("Readability exception");
return true;
}
if (/^https?:\/\/pdf\.printfriendly\.com\/pdfs\/make$/.test(destUrl) &&
Legacy.getPref("filterXExceptions.printfriendly")) {
logEx("Printfriendly exception");
return true;
}
}
}
},
isBadException(host) {
// TLD check for Google search
let m = host.match(/\bgoogle\.((?:[a-z]{1,3}\.)?[a-z]+)$/i);
return m && tld.getPublicSuffix(host) != m[1];
},
partial(xssReq) {
let {
srcObj,
destObj,
srcUrl,
destUrl,
srcOrigin,
destOrigin,
} = xssReq;
let skipParams, skipRx;
if (/^https:\/\/www\.paypal\.com\/(?:[\w\-]+\/)?cgi-bin\/webscr\b/.test(destUrl)) {
// Paypal buttons encrypted parameter causes a DOS, strip it out
skipParams = ['encrypted'];
} else if (/\.adnxs\.com$/.test(srcOrigin) && /\.adnxs\.com$/.test(destOrigin)) {
skipParams = ['udj'];
} else if (/^https?:\/\/www\.mendeley\.com\/import\/bookmarklet\/$/.test(destUrl)) {
skipParams = ['html'];
} else if (destObj.hash && /^https:/.test(srcOrigin) &&
(/^https?:\/\/api\.facebook\.com\//.test(srcUrl) ||
/^https:\/\/tbpl\.mozilla\.org\//.test(srcUrl) || // work-around for hg reftest DOS
/^https:\/\/[^\/]+\.googleusercontent\.com\/gadgets\/ifr\?/.test(destUrl) // Google gadgets
)) {
skipRx = /#[^#]+$/; // remove receiver's hash
} else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl) && Legacy.getPref("filterXExceptions.fbconnect")) {
skipRx = /&invite_url=javascript[^&]+/; // Zynga stuff
} else if (/^https?:\/\/l\.yimg\.com\/j\/static\/frame\?e=/.test(destUrl) &&
/\.yahoo\.com$/.test(srcOrigin) &&
Legacy.getPref("filterXExceptions.yahoo")) {
skipParams = ['e'];
} else if (/^https?:\/\/wpcomwidgets\.com\/\?/.test(destUrl)) {
skipParams = ["_data"];
} else if (/^https:\/\/docs\.google\.com\/picker\?/.test(destUrl)) {
skipParams = ["nav", "pp"];
} else if (/^https:\/\/.*[\?&]scope=/.test(destUrl)) {
skipRx = /[\?&]scope=[+\w]+(?=&|$)/;
}
if (skipParams) {
skipRx = new RegExp("(?:^|[&?])(?:" + skipParams.join('|') + ")=[^&]+", "g");
}
return {
skipParams,
skipRx
};
}
};
return Exceptions;
})();

147
src/xss/FlashIdiocy.js Normal file
View File

@ -0,0 +1,147 @@
'use strict';
XSS.FlashIdiocy = {
_affectsRx: /%(?:[8-9a-f]|[0-7]?[^0-9a-f])/i, // high (non-ASCII) percent encoding or invalid second digit
affects(s) {
return this._affectsRx.test(s);
},
purgeBadEncodings(s) {
return s.replace(/%(?:[0-9a-f]?(?:[^0-9a-f]|$))/ig, "");
},
platformDecode(s) {
return s.replace(/%[8-9a-f][0-9a-f]/ig, s => this.map[s.substring(1).toLowerCase()]);
},
map: {
"80": "?",
"81": "",
"82": "?",
"83": "?",
"84": "?",
"85": "?",
"86": "?",
"87": "?",
"88": "?",
"89": "?",
"8a": "?",
"8b": "?",
"8c": "?",
"8d": "",
"8e": "?",
"8f": "",
"90": "",
"91": "?",
"92": "?",
"93": "?",
"94": "?",
"95": "?",
"96": "?",
"97": "?",
"98": "?",
"99": "?",
"9a": "?",
"9b": "?",
"9c": "?",
"9d": "",
"9e": "?",
"9f": "?",
"a0": " ",
"a1": "¡",
"a2": "¢",
"a3": "£",
"a4": "¤",
"a5": "¥",
"a6": "¦",
"a7": "§",
"a8": "¨",
"a9": "©",
"aa": "ª",
"ab": "«",
"ac": "¬",
"ad": "­",
"ae": "®",
"af": "¯",
"b0": "°",
"b1": "±",
"b2": "²",
"b3": "³",
"b4": "´",
"b5": "µ",
"b6": "¶",
"b7": "·",
"b8": "¸",
"b9": "¹",
"ba": "º",
"bb": "»",
"bc": "¼",
"bd": "½",
"be": "¾",
"bf": "¿",
"c0": "À",
"c1": "Á",
"c2": "Â",
"c3": "Ã",
"c4": "Ä",
"c5": "Å",
"c6": "Æ",
"c7": "Ç",
"c8": "È",
"c9": "É",
"ca": "Ê",
"cb": "Ë",
"cc": "Ì",
"cd": "Í",
"ce": "Î",
"cf": "Ï",
"d0": "Ð",
"d1": "Ñ",
"d2": "Ò",
"d3": "Ó",
"d4": "Ô",
"d5": "Õ",
"d6": "Ö",
"d7": "×",
"d8": "Ø",
"d9": "Ù",
"da": "Ú",
"db": "Û",
"dc": "Ü",
"dd": "Ý",
"de": "Þ",
"df": "ß",
"e0": "à",
"e1": "á",
"e2": "â",
"e3": "ã",
"e4": "ä",
"e5": "å",
"e6": "æ",
"e7": "ç",
"e8": "è",
"e9": "é",
"ea": "ê",
"eb": "ë",
"ec": "ì",
"ed": "í",
"ee": "î",
"ef": "ï",
"f0": "ð",
"f1": "ñ",
"f2": "ò",
"f3": "ó",
"f4": "ô",
"f5": "õ",
"f6": "ö",
"f7": "÷",
"f8": "ø",
"f9": "ù",
"fa": "ú",
"fb": "û",
"fc": "ü",
"fd": "ý",
"fe": "þ",
"ff": "ÿ",
}
};

1199
src/xss/InjectionChecker.js Normal file
View File

File diff suppressed because it is too large Load Diff

246
src/xss/XSS.js Normal file
View File

@ -0,0 +1,246 @@
'use strict';
var XSS = (() => {
const ABORT = {cancel: true}, ALLOW = {};
let promptsMap = new Map();
async function getUserResponse(xssReq) {
let {originKey} = xssReq;
await promptsMap.get(originKey);
// promptsMap.delete(originKey);
switch (await XSS.getUserChoice(originKey)) {
case "allow":
return ALLOW;
case "block":
log("Blocking request from %s to %s by previous XSS prompt user choice",
xssReq.srcUrl, xssReq.destUrl);
return ABORT;
}
return null;
}
async function requestListener(request) {
if (ns.isEnforced(request.tabId)) {
let {policy} = ns;
let {type} = request;
if (type !== "main_frame") {
if (type === "sub_frame") type = "frame";
if (!policy.can(request.url, type, request.originUrl)) {
return ALLOW; // it will be blocked by RequestGuard
}
}
}
let xssReq = XSS.parseRequest(request);
if (!xssReq) return null;
let userResponse = await getUserResponse(xssReq);
if (userResponse) return userResponse;
let data;
let reasons;
try {
reasons = await XSS.maybe(xssReq);
if (!reasons) return ALLOW;
data = [];
} catch (e) {
error(e, "XSS filter processing %o", xssReq);
reasons = { urlInjection: true };
data = [e.toString()];
}
let prompting = (async () => {
userResponse = await getUserResponse(xssReq);
if (userResponse) return userResponse;
let {srcOrigin, destOrigin, unescapedDest} = xssReq;
let block = !!(reasons.urlInjection || reasons.postInjection)
if (reasons.protectName) {
RequestUtil.executeOnStart(request, {
file: "/xss/sanitizeName.js",
});
if (!block) return ALLOW;
}
if (reasons.urlInjection) data.push(`(URL) ${unescapedDest}`);
if (reasons.postInjection) data.push(`(POST) ${reasons.postInjection}`);
let source = srcOrigin && srcOrigin !== "null" ? srcOrigin : "[...]";
let {button, option} = await Prompts.prompt({
title: _("XSS_promptTitle"),
message: _("XSS_promptMessage", [source, destOrigin, data.join(",")]),
options: [
{label: _(`XSS_opt${block ? 'Block' : 'Sanitize'}`), checked: true}, // 0
{label: _("XSS_optAlwaysBlock", [source, destOrigin])}, // 1
{label: _("XSS_optAllow")}, // 2
{label: _("XSS_optAlwaysAllow", [source, destOrigin])}, // 3
],
buttons: [_("Ok")],
multiple: "focus",
width: 600,
height: 480,
});
if (button === 0 && option >= 2) {
if (option === 3) { // always allow
await XSS.setUserChoice(xssReq.originKey, "allow");
await XSS.saveUserChoices();
}
return ALLOW;
}
if (option === 1) { // always block
block = true;
await XSS.setUserChoice(xssReq.originKey, "block");
await XSS.saveUserChoices();
}
return block ? ABORT : ALLOW;
})();
promptsMap.set(xssReq.originKey, prompting);
try {
return await prompting;
} catch (e) {
error(e);
return ABORT;
}
};
return {
async start() {
let {onBeforeRequest} = browser.webRequest;
if (onBeforeRequest.hasListener(requestListener)) return;
await include("/legacy/Legacy.js");
await include("/xss/Exceptions.js");
this._userChoices = (await Storage.get("sync", "xssUserChoices")).xssUserChoices || {};
// conver old style whitelist if stored
let oldWhitelist = await XSS.Exceptions.getWhitelist();
if (oldWhitelist) {
for (let [destOrigin, sources] of Object.entries(oldWhitelist)) {
for (let srcOrigin of sources) {
this._userChoices[`${srcOrigin}>${destOrigin}`] = "allow";
}
}
XSS.Exceptions.setWhitelist(null);
}
onBeforeRequest.addListener(requestListener, {
urls: ["*://*/*"],
types: ["main_frame", "sub_frame", "object"]
}, ["blocking", "requestBody"]);
},
stop() {
let {onBeforeRequest} = browser.webRequest;
if (onBeforeRequest.hasListener(requestListener)) {
onBeforeRequest.removeListener(requestListener);
}
},
parseRequest(request) {
let {
url: destUrl,
originUrl: srcUrl,
method
} = request;
let destObj;
try {
destObj = new URL(destUrl);
} catch (e) {
error(e, "Cannot create URL object for %s", destUrl);
return null;
}
let srcObj = null;
if (srcUrl) {
try {
srcObj = new URL(srcUrl);
} catch (e) {}
} else {
srcUrl = "";
}
let unescapedDest = unescape(destUrl);
let srcOrigin = srcObj ? srcObj.origin : "";
let destOrigin = destObj.origin;
let isGet = method === "GET";
return {
xssUnparsed: request,
srcUrl,
destUrl,
srcObj,
destObj,
srcOrigin,
destOrigin,
get srcDomain() {
delete this.srcDomain;
return this.srcDomain = srcObj && srcObj.hostname && tld.getDomain(srcObj.hostname) || "";
},
get destDomain() {
delete this.destDomain;
return this.destDomain = tld.getDomain(destObj.hostname);
},
get originKey() {
delete this.originKey;
return this.originKey = `${srcOrigin}>${destOrigin}`;
},
unescapedDest,
isGet,
isPost: !isGet && method === "POST",
}
},
async saveUserChoices(xssUserChoices = this._userChoices || {}) {
this._userChoices = xssUserChoices;
await Storage.set("sync", {xssUserChoices});
},
getUserChoices() {
return this._userChoices;
},
setUserChoice(originKey, choice) {
this._userChoices[originKey] = choice;
},
getUserChoice(originKey) {
return this._userChoices[originKey];
},
async maybe(request) { // return reason or null if everything seems fine
let xssReq = request.xssUnparsed ? request : this.parseRequest(request);
request = xssReq.xssUnparsed;
if (await this.Exceptions.shouldIgnore(xssReq)) {
return null;
}
let {
skipParams,
skipRx
} = this.Exceptions.partial(xssReq);
let {destUrl} = xssReq;
await include("/xss/InjectionChecker.js");
let ic = await this.InjectionChecker;
ic.reset();
let postInjection = xssReq.isPost &&
request.requestBody && request.requestBody.formData &&
ic.checkPost(request.requestBody.formData, skipParams);
let protectName = ic.nameAssignment;
let urlInjection = ic.checkUrl(destUrl, skipRx);
protectName = protectName || ic.nameAssignment;
ic.reset();
return !(protectName || postInjection || urlInjection) ? null
: { protectName, postInjection, urlInjection };
}
};
})();

4
src/xss/sanitizeName.js Normal file
View File

@ -0,0 +1,4 @@
if (/[<"'\`(=:]/.test(window.name)) {
console.log(`NoScript XSS filter sanitizing suspicious window.name "%s" on %s`, window.name, document.URL);
window.name = "";
}