Revision 44958e6a
Added by koszko about 2 years ago
| content/main.js | ||
|---|---|---|
| 16 | 16 |
* IMPORT is_chrome |
| 17 | 17 |
* IMPORT is_mozilla |
| 18 | 18 |
* IMPORT start_activity_info_server |
| 19 |
* IMPORT modify_on_the_fly |
|
| 19 |
* IMPORT csp_rule |
|
| 20 |
* IMPORT is_csp_header_name |
|
| 21 |
* IMPORT sanitize_csp_header |
|
| 20 | 22 |
* IMPORTS_END |
| 21 | 23 |
*/ |
| 22 | 24 |
|
| ... | ... | |
| 31 | 33 |
parent.hachette_corresponding.appendChild(clone); |
| 32 | 34 |
} |
| 33 | 35 |
|
| 36 |
/* |
|
| 37 |
* 1. When injecting some payload we need to sanitize <meta> CSP tags before |
|
| 38 |
* they reach the document. |
|
| 39 |
* 2. Only <meta> tags inside <head> are considered valid by the browser and |
|
| 40 |
* need to be considered. |
|
| 41 |
* 3. We want to detach <html> from document, wait until its <head> completes |
|
| 42 |
* loading, sanitize it and re-attach <html>. |
|
| 43 |
* 4. Browsers are eager to add <meta>'s that appear after `</head>' but before |
|
| 44 |
* `<body>'. Due to this behavior the `DOMContentLoaded' event is considered |
|
| 45 |
* unreliable (although it could still work properly, it is just problematic |
|
| 46 |
* to verify). |
|
| 47 |
* 5. We shall wait for anything to appear in or after <body> and take that as |
|
| 48 |
* a sign <head> has _really_ finished loading. |
|
| 49 |
*/ |
|
| 50 |
|
|
| 51 |
function make_body_start_observer(DOM_element, waiting) |
|
| 52 |
{
|
|
| 53 |
const observer = new MutationObserver(() => try_body_started(waiting)); |
|
| 54 |
observer.observe(DOM_element, {childList: true});
|
|
| 55 |
return observer; |
|
| 56 |
} |
|
| 57 |
|
|
| 58 |
function try_body_started(waiting) |
|
| 59 |
{
|
|
| 60 |
const body = waiting.detached_html.querySelector("body");
|
|
| 61 |
|
|
| 62 |
if ((body && (body.firstChild || body.nextSibling)) || |
|
| 63 |
waiting.doc.documentElement.nextSibling) {
|
|
| 64 |
finish_waiting(waiting); |
|
| 65 |
return true; |
|
| 66 |
} |
|
| 67 |
|
|
| 68 |
if (body && waiting.observers.length < 2) |
|
| 69 |
waiting.observers.push(make_body_start_observer(body, waiting)); |
|
| 70 |
} |
|
| 71 |
|
|
| 72 |
function finish_waiting(waiting) |
|
| 73 |
{
|
|
| 74 |
waiting.observers.forEach(observer => observer.disconnect()); |
|
| 75 |
waiting.doc.removeEventListener("DOMContentLoaded", waiting.loaded_cb);
|
|
| 76 |
setTimeout(waiting.callback, 0); |
|
| 77 |
} |
|
| 78 |
|
|
| 79 |
function _wait_for_head(doc, detached_html, callback) |
|
| 80 |
{
|
|
| 81 |
const waiting = {doc, detached_html, callback, observers: []};
|
|
| 82 |
if (try_body_started(waiting)) |
|
| 83 |
return; |
|
| 84 |
|
|
| 85 |
waiting.observers = [make_body_start_observer(detached_html, waiting)]; |
|
| 86 |
waiting.loaded_cb = () => finish_waiting(waiting); |
|
| 87 |
doc.addEventListener("DOMContentLoaded", waiting.loaded_cb);
|
|
| 88 |
} |
|
| 89 |
|
|
| 90 |
function wait_for_head(doc, detached_html) |
|
| 91 |
{
|
|
| 92 |
return new Promise(cb => _wait_for_head(doc, detached_html, cb)); |
|
| 93 |
} |
|
| 94 |
|
|
| 95 |
const blocked_str = "blocked"; |
|
| 96 |
|
|
| 97 |
function block_attribute(node, attr) |
|
| 98 |
{
|
|
| 99 |
/* |
|
| 100 |
* Disabling attributes this way allows them to still be relatively |
|
| 101 |
* easily accessed in case they contain some useful data. |
|
| 102 |
*/ |
|
| 103 |
const construct_name = [attr]; |
|
| 104 |
while (node.hasAttribute(construct_name.join("")))
|
|
| 105 |
construct_name.unshift(blocked_str); |
|
| 106 |
|
|
| 107 |
while (construct_name.length > 1) {
|
|
| 108 |
construct_name.shift(); |
|
| 109 |
const name = construct_name.join("");
|
|
| 110 |
node.setAttribute(`${blocked_str}-${name}`, node.getAttribute(name));
|
|
| 111 |
} |
|
| 112 |
|
|
| 113 |
node.removeAttribute(attr); |
|
| 114 |
} |
|
| 115 |
|
|
| 116 |
function sanitize_meta(meta, policy) |
|
| 117 |
{
|
|
| 118 |
const http_equiv = meta.getAttribute("http-equiv");
|
|
| 119 |
const value = meta.content; |
|
| 120 |
|
|
| 121 |
if (!value || !is_csp_header_name(http_equiv, true)) |
|
| 122 |
return; |
|
| 123 |
|
|
| 124 |
block_attribute(meta, "content"); |
|
| 125 |
|
|
| 126 |
if (is_csp_header_name(http_equiv, false)) |
|
| 127 |
meta.content = sanitize_csp_header({value}, policy).value;
|
|
| 128 |
} |
|
| 129 |
|
|
| 130 |
function apply_hachette_csp_rules(doc, policy) |
|
| 131 |
{
|
|
| 132 |
const meta = doc.createElement("meta");
|
|
| 133 |
meta.setAttribute("http-equiv", "Content-Security-Policy");
|
|
| 134 |
meta.setAttribute("content", csp_rule(policy.nonce));
|
|
| 135 |
doc.head.append(meta); |
|
| 136 |
/* CSP is already in effect, we can remove the <meta> now. */ |
|
| 137 |
meta.remove(); |
|
| 138 |
} |
|
| 139 |
|
|
| 140 |
async function sanitize_document(doc, policy) |
|
| 141 |
{
|
|
| 142 |
/* |
|
| 143 |
* Ensure our CSP rules are employed from the beginning. This CSP injection |
|
| 144 |
* method is, when possible, going to be applied together with CSP rules |
|
| 145 |
* injected using webRequest. |
|
| 146 |
*/ |
|
| 147 |
const has_own_head = doc.head; |
|
| 148 |
if (!has_own_head) |
|
| 149 |
doc.documentElement.prepend(doc.createElement("head"));
|
|
| 150 |
|
|
| 151 |
apply_hachette_csp_rules(doc, policy); |
|
| 152 |
|
|
| 153 |
/* Probably not needed, but...: proceed with DOM in its initial state. */ |
|
| 154 |
if (!has_own_head) |
|
| 155 |
doc.head.remove(); |
|
| 156 |
|
|
| 157 |
/* |
|
| 158 |
* <html> node gets hijacked now, to be re-attached after <head> is loaded |
|
| 159 |
* and sanitized. |
|
| 160 |
*/ |
|
| 161 |
const old_html = doc.documentElement; |
|
| 162 |
const new_html = doc.createElement("html");
|
|
| 163 |
old_html.replaceWith(new_html); |
|
| 164 |
|
|
| 165 |
await wait_for_head(doc, old_html); |
|
| 166 |
|
|
| 167 |
for (const meta of old_html.querySelectorAll("head meta"))
|
|
| 168 |
sanitize_meta(meta, policy); |
|
| 169 |
|
|
| 170 |
new_html.replaceWith(old_html); |
|
| 171 |
} |
|
| 172 |
|
|
| 34 | 173 |
if (!is_privileged_url(document.URL)) {
|
| 35 | 174 |
const reductor = |
| 36 | 175 |
(ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig]; |
| ... | ... | |
| 45 | 184 |
if (signature) |
| 46 | 185 |
document.cookie = `hachette-${signature}=; Max-Age=-1;`;
|
| 47 | 186 |
|
| 48 |
handle_page_actions(policy.nonce); |
|
| 187 |
if (!policy.allow) |
|
| 188 |
sanitize_document(document, policy); |
|
| 49 | 189 |
|
| 50 |
if (!policy.allow) {
|
|
| 51 |
const old_html = document.documentElement; |
|
| 52 |
const new_html = document.createElement("html");
|
|
| 53 |
old_html.replaceWith(new_html); |
|
| 54 |
old_html.hachette_corresponding = new_html; |
|
| 55 |
|
|
| 56 |
const modify_end = |
|
| 57 |
modify_on_the_fly(old_html, policy, {node_eater: accept_node});
|
|
| 58 |
document.addEventListener("DOMContentLoaded", modify_end);
|
|
| 59 |
} |
|
| 190 |
handle_page_actions(policy.nonce); |
|
| 60 | 191 |
|
| 61 | 192 |
start_activity_info_server(); |
| 62 | 193 |
} |
Also available in: Unified diff
implement rethinked tags sanitizing approach
This has not been tested yet. Additionally, functionality for blocking of `data:' urls needs to be re-enabled.