Revision 7ee7889a
Added by Wojtek Kosior about 2 years ago
| content/main.js | ||
|---|---|---|
| 30 | 30 |
const url_item = window.url_item; |
| 31 | 31 |
const gen_unique = window.gen_unique; |
| 32 | 32 |
|
| 33 |
var url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/; |
|
| 34 |
var match = url_re.exec(document.URL); |
|
| 35 |
var base_url = match[1]; |
|
| 36 |
var first_target = match[3]; |
|
| 37 |
var second_target = match[4]; |
|
| 33 |
/* |
|
| 34 |
* Due to some technical limitations the chosen method of whitelisting sites |
|
| 35 |
* is to smuggle whitelist indicator in page's url as a "magical" string |
|
| 36 |
* after '#'. Right now this is not needed in HTTP(s) pages where native |
|
| 37 |
* script blocking happens through CSP header injection but is needed for |
|
| 38 |
* protocols like ftp:// and file://. |
|
| 39 |
* |
|
| 40 |
* The code that actually injects the magical string into ftp:// and file:// |
|
| 41 |
* urls has not yet been added to the extension. |
|
| 42 |
*/ |
|
| 38 | 43 |
|
| 39 |
// TODO: can be refactored *a little bit* with policy_smuggler.js |
|
| 40 | 44 |
let url = url_item(document.URL); |
| 41 | 45 |
let unique = gen_unique(url); |
| 42 |
|
|
| 43 | 46 |
let nonce = unique.substring(1); |
| 44 | 47 |
|
| 45 |
var block = true; |
|
| 46 |
if (first_target !== undefined && |
|
| 47 |
first_target === unique) {
|
|
| 48 |
block = false; |
|
| 49 |
console.log(["allowing", document.URL]); |
|
| 50 |
if (second_target !== undefined) |
|
| 51 |
window.location.href = base_url + second_target; |
|
| 52 |
else |
|
| 53 |
history.replaceState(null, "", base_url); |
|
| 54 |
} else {
|
|
| 55 |
console.log(["not allowing", document.URL]); |
|
| 48 |
function needs_blocking() |
|
| 49 |
{
|
|
| 50 |
if (url.startsWith("https://") || url.startsWith("http://"))
|
|
| 51 |
return false; |
|
| 52 |
|
|
| 53 |
let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/; |
|
| 54 |
let match = url_re.exec(document.URL); |
|
| 55 |
let base_url = match[1]; |
|
| 56 |
let first_target = match[3]; |
|
| 57 |
let second_target = match[4]; |
|
| 58 |
|
|
| 59 |
if (first_target !== undefined && |
|
| 60 |
first_target === unique) {
|
|
| 61 |
if (second_target !== undefined) |
|
| 62 |
window.location.href = base_url + second_target; |
|
| 63 |
else |
|
| 64 |
history.replaceState(null, "", base_url); |
|
| 65 |
|
|
| 66 |
console.log(["allowing whitelisted", document.URL]); |
|
| 67 |
return false; |
|
| 68 |
} |
|
| 69 |
|
|
| 70 |
console.log(["disallowing", document.URL]); |
|
| 71 |
return true; |
|
| 56 | 72 |
} |
| 57 | 73 |
|
| 58 | 74 |
function handle_mutation(mutations, observer) |
| ... | ... | |
| 129 | 145 |
} |
| 130 | 146 |
} |
| 131 | 147 |
|
| 132 |
if (block) {
|
|
| 148 |
if (needs_blocking()) {
|
|
| 133 | 149 |
var observer = new MutationObserver(handle_mutation); |
| 134 | 150 |
observer.observe(document.documentElement, {
|
| 135 | 151 |
attributes: true, |
Also available in: Unified diff
when possible inject CSP as http(s) header using webRequest instead of adding a tag