Revision 261548ff
Added by koszko about 2 years ago
content/freezer.js | ||
---|---|---|
6 | 6 |
* Redistribution terms are gathered in the `copyright' file. |
7 | 7 |
*/ |
8 | 8 |
|
9 |
"use strict"; |
|
9 |
const loaderAttributes = ["href", "src", "data"]; |
|
10 |
const jsOrDataUrlRx = /^(?:data:(?:[^,;]*ml|unknown-content-type)|javascript:)/i; |
|
10 | 11 |
|
11 |
(() => { |
|
12 |
const loaderAttributes = ["href", "src", "data"]; |
|
13 |
const jsOrDataUrlRx = /^(?:data:(?:[^,;]*ml|unknown-content-type)|javascript:)/i; |
|
12 |
function sanitize_attributes(element) { |
|
13 |
if (element._frozen) |
|
14 |
return; |
|
15 |
let fa = []; |
|
16 |
let loaders = []; |
|
17 |
let attributes = element.attributes || []; |
|
14 | 18 |
|
15 |
function sanitizeAttributes(element) { |
|
16 |
if (element._frozen) |
|
17 |
return; |
|
18 |
let fa = []; |
|
19 |
let loaders = []; |
|
20 |
for (let a of element.attributes) { |
|
21 |
let name = a.localName.toLowerCase(); |
|
22 |
if (loaderAttributes.includes(name)) |
|
23 |
if (jsOrDataUrlRx.test(a.value)) |
|
24 |
loaders.push(a); |
|
19 |
for (let a of attributes) { |
|
20 |
let name = a.localName.toLowerCase(); |
|
21 |
if (loaderAttributes.includes(name)) |
|
22 |
if (jsOrDataUrlRx.test(a.value)) |
|
23 |
loaders.push(a); |
|
25 | 24 |
|
26 |
else if (name.startsWith("on")) { |
|
27 |
console.debug("Removing", a, element.outerHTML); |
|
28 |
fa.push(a.cloneNode()); |
|
29 |
a.value = ""; |
|
30 |
element[name] = null; |
|
31 |
} |
|
25 |
else if (name.startsWith("on")) { |
|
26 |
console.debug("Removing", a, element.outerHTML); |
|
27 |
fa.push(a.cloneNode()); |
|
28 |
a.value = ""; |
|
29 |
element[name] = null; |
|
32 | 30 |
} |
33 |
if (loaders.length) { |
|
34 |
for (let a of loaders) { |
|
35 |
fa.push(a.cloneNode()); |
|
36 |
a.value = "javascript://frozen"; |
|
37 |
} |
|
38 |
if ("contentWindow" in element) |
|
39 |
element.replaceWith(element = element.cloneNode(true)); |
|
40 |
|
|
31 |
} |
|
32 |
if (loaders.length) { |
|
33 |
for (let a of loaders) { |
|
34 |
fa.push(a.cloneNode()); |
|
35 |
a.value = "javascript://frozen"; |
|
41 | 36 |
} |
42 |
if (fa.length)
|
|
43 |
element._frozenAttributes = fa;
|
|
44 |
element._frozen = true; |
|
37 |
if ("contentWindow" in element)
|
|
38 |
element.replaceWith(element = element.cloneNode(true));
|
|
39 |
|
|
45 | 40 |
} |
46 |
|
|
47 |
function scriptSuppressor(nonce) { |
|
48 |
const blockExecute = e => { |
|
49 |
if (document.readyState === 'complete') { |
|
50 |
removeEventListener('beforescriptexecute', blockExecute, true); |
|
51 |
return; |
|
52 |
} |
|
53 |
else if (e.isTrusted && e.target.getAttribute('nonce') !== nonce) { // Prevent blocking of injected scripts |
|
54 |
e.preventDefault(); |
|
55 |
console.log('Suppressed script', e.target); |
|
56 |
} |
|
57 |
}; |
|
58 |
return blockExecute; |
|
41 |
if (fa.length) |
|
42 |
element._frozenAttributes = fa; |
|
43 |
element._frozen = true; |
|
44 |
} |
|
45 |
|
|
46 |
function script_suppressor(nonce) { |
|
47 |
const blockExecute = e => { |
|
48 |
if (document.readyState === 'complete') { |
|
49 |
removeEventListener('beforescriptexecute', blockExecute, true); |
|
50 |
return; |
|
51 |
} |
|
52 |
else if (e.isTrusted && e.target.getAttribute('nonce') !== nonce) { // Prevent blocking of injected scripts |
|
53 |
e.preventDefault(); |
|
54 |
console.log('Suppressed script', e.target); |
|
55 |
} |
|
59 | 56 |
}; |
60 |
|
|
61 |
window.scriptSuppressor = scriptSuppressor; |
|
62 |
window.sanitize_attributes = sanitizeAttributes; |
|
63 |
})(); |
|
57 |
return blockExecute; |
|
58 |
}; |
|
59 |
|
|
60 |
/* |
|
61 |
* EXPORTS_START |
|
62 |
* EXPORT script_suppressor |
|
63 |
* EXPORT sanitize_attributes |
|
64 |
* EXPORTS_END |
|
65 |
*/ |
Also available in: Unified diff
emply an sh-based build system; make some changes to blocking