Haketilo

/**

 * Hachette main content script run in all frames

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Copyright (C) 2021 jahoti

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT handle_page_actions

 * IMPORT url_extract_target

 * IMPORT gen_unique

 * IMPORT gen_nonce

 * IMPORT csp_rule

 * IMPORT is_privileged_url

 * IMPORT sanitize_attributes

 * IMPORT mozilla_suppress_scripts

 * IMPORT is_chrome

 * IMPORT is_mozilla

 * IMPORT start_activity_info_server

 * IMPORT sanitize_csp_header

 * IMPORTS_END

 */

/*

 * Due to some technical limitations the chosen method of whitelisting sites

 * is to smuggle whitelist indicator in page's url as a "magical" string

 * after '#'. Right now this is only supplemental in HTTP(s) pages where

 * blocking of native scripts also happens through CSP header injection but is

 * necessary for protocols like ftp:// and file://.

 *

 * The code that actually injects the magical string into ftp:// and file://

 * urls has not yet been added to the extension.

 */

var nonce = undefined;

function handle_mutation(mutations, observer)

{

    if (document.readyState === 'complete') {

	console.log("mutation handling complete");

	observer.disconnect();

	return;

    }

    for (const mutation of mutations) {

	for (const node of mutation.addedNodes)

	    block_node(node);

    }

}

function block_nodes_recursively(node)

{

    block_node(node);

    for (const child of node.children)

	block_nodes_recursively(child);

}

function block_node(node)

{

    /*

     * Modifying <script> element doesn't always prevent its execution in some

     * Mozilla browsers. This is Chromium-specific code.

     */

    if (node.tagName === "SCRIPT") {

	block_script(node);

	return;

    }

    else if (node.tagName === 'META' &&

	node.getAttribute('http-equiv') === 'content-security-policy') {

	node.content = sanitize_csp_header(

	    {value: node.content},

	    `'nonce-${nonce}'`,

	    !policy.allow

	).value;

	return;

    }

    sanitize_attributes(node);

    if (node.tagName === "HEAD")

	inject_csp(node);

}

function block_script(node)

{

    /*

     * Disabling scripts this way allows them to still be relatively

     * easily accessed in case they contain some useful data.

     */

    if (node.hasAttribute("type"))

	node.setAttribute("blocked-type", node.getAttribute("type"));

    node.setAttribute("type", "application/json");

}

function inject_csp(head)

{

    console.log('injecting CSP');

    let meta = document.createElement("meta");

    meta.setAttribute("http-equiv", "Content-Security-Policy");

    meta.setAttribute("content", csp_rule(nonce));

    if (head.firstElementChild === null)

	head.appendChild(meta);

    else

	head.insertBefore(meta, head.firstElementChild);

}

if (!is_privileged_url(document.URL)) {

    const targets = url_extract_target(document.URL);

    if (targets.policy) {

	if (targets.target2)

	    window.location.href = targets.base_url + targets.target2;

	else

	    history.replaceState(null, "", targets.base_url);

    }

    const policy = targets.current ? targets.policy : {};

    nonce = policy.nonce || gen_nonce();

    handle_page_actions(nonce);

    if (!policy.allow) {

	block_nodes_recursively(document.documentElement);

	/* Now needed on Mozilla as well to sanitize CSP header */

	var observer = new MutationObserver(handle_mutation);

	observer.observe(document.documentElement, {

	    attributes: true,

	    childList: true,

	    subtree: true

	});

	if (is_mozilla)

	    addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);

    }

    start_activity_info_server();

}