Haketilo

/**

 * Myext main content script run in all frames

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT handle_page_actions

 * IMPORT url_item

 * IMPORT gen_unique

 * IMPORT sanitize_attributes

 * IMPORT script_suppressor

 * IMPORT is_chrome

 * IMPORT is_mozilla

 * IMPORTS_END

 */

/*

 * Due to some technical limitations the chosen method of whitelisting sites

 * is to smuggle whitelist indicator in page's url as a "magical" string

 * after '#'. Right now this is not needed in HTTP(s) pages where native

 * script blocking happens through CSP header injection but is needed for

 * protocols like ftp:// and file://.

 *

 * The code that actually injects the magical string into ftp:// and file://

 * urls has not yet been added to the extension.

 */

let url = url_item(document.URL);

let unique = gen_unique(url);

let nonce = unique.substring(1);

const suppressor = script_suppressor(nonce);

function needs_blocking()

{

    if (url.startsWith("https://") || url.startsWith("http://"))

	return false;

    let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;

    let match = url_re.exec(document.URL);

    let base_url = match[1];

    let first_target = match[3];

    let second_target = match[4];

    if (first_target !== undefined &&

	first_target === unique) {

	if (second_target !== undefined)

	    window.location.href = base_url + second_target;

	else

	    history.replaceState(null, "", base_url);

	console.log(["allowing whitelisted", document.URL]);

	return false;

    }

    console.log(["disallowing", document.URL]);

    return true;

}

function handle_mutation(mutations, observer)

{

    if (document.readyState === 'complete') {

	console.log("mutation handling complete");

	observer.disconnect();

	return;

    }

    for (const mutation of mutations) {

	for (const node of mutation.addedNodes)

	    block_node(node);

    }

}

function block_nodes_recursively(node)

{

    block_node(node);

    for (const child of node.children)

	block_nodes_recursively(child);

}

function block_node(node)

{

    /*

     * Modifying <script> element doesn't always prevent its

     * execution in some Mozilla browsers. Additional blocking

     * through CSP meta tag injection is required.

     */

    if (node.tagName === "SCRIPT") {

	block_script(node);

	return;

    }

    sanitize_attributes(node);

    if (node.tagName === "HEAD")

	inject_csp(node);

}

function block_script(node)

{

    /*

     * Disabling scripts this way allows them to still be relatively

     * easily accessed in case they contain some useful data.

     */

    if (node.hasAttribute("type"))

	node.setAttribute("blocked-type", node.getAttribute("type"));

    node.setAttribute("type", "application/json");

}

function inject_csp(head)

{

    console.log('injecting CSP');

    let meta = document.createElement("meta");

    meta.setAttribute("http-equiv", "Content-Security-Policy");

    let rule = `script-src 'nonce-${nonce}'; `;

    if (is_chrome)

	rule += `script-src-elem 'nonce-${nonce}';`;

    meta.setAttribute("content", rule);

    if (head.firstElementChild === null)

	head.appendChild(meta);

    else

	head.insertBefore(meta, head.firstElementChild);

}

if (needs_blocking()) {

    block_nodes_recursively(document.documentElement);

    if (is_chrome) {

	var observer = new MutationObserver(handle_mutation);

	observer.observe(document.documentElement, {

	    attributes: true,

	    childList: true,

	    subtree: true

	});

    }

    if (is_mozilla)

	addEventListener('beforescriptexecute', suppressor, true);

}

handle_page_actions(nonce);