Mirrors
/
uBlock
mirror of https://github.com/gorhill/uBlock.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use unspoofable Messenger.origin to determine privilege level of ports 

Related issue:
- https://github.com/uBlockOrigin/uBlock-issues/issues/1992
This commit is contained in:
Raymond Hill 2022-02-17 18:05:01 -05:00
parent 3154ed1bac
commit e1e2ba3d5d
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
platform/common/vapi-background.js
View File

@ -824,12 +824,18 @@ browser.browserAction.onClicked.addListener(function(tab) {
// content scripts. Whether a message can trigger a privileged operation is
// decided based on whether the port from which a message is received is
// privileged, which is a status evaluated once, at port connection time.
//
// https://github.com/uBlockOrigin/uBlock-issues/issues/1992
// If present, use MessageSender.origin to determine whether the port is
// from a privileged page, otherwise use MessageSender.url.
// MessageSender.origin is more reliable as it is not spoofable by a
// compromised renderer.
vAPI.messaging = {
ports: new Map(),
listeners: new Map(),
defaultHandler: null,
PRIVILEGED_URL: vAPI.getURL(''),
PRIVILEGED_ORIGIN: vAPI.getURL('').slice(0, -1),
NOOPFUNC: function(){},
UNHANDLED: 'vAPI.messaging.notHandled',
@ -855,10 +861,12 @@ vAPI.messaging = {
);
const portDetails = { port };
const sender = port.sender;
const { tab, url } = sender;
const { origin, tab, url } = sender;
portDetails.frameId = sender.frameId;
portDetails.frameURL = url;
portDetails.privileged = url.startsWith(this.PRIVILEGED_URL);
portDetails.privileged =
origin !== undefined && origin === this.PRIVILEGED_ORIGIN ||
origin === undefined && url.startsWith(this.PRIVILEGED_ORIGIN);
if ( tab ) {
portDetails.tabId = tab.id;
portDetails.tabURL = tab.url;