Revision 830d22d8
Added by koszko over 1 year ago
| content/policy_enforcing.js | ||
|---|---|---|
| 159 | 159 |
delete script.haketilo_blocked_type; |
| 160 | 160 |
} |
| 161 | 161 |
|
| 162 |
/* |
|
| 163 |
* Blocking certain attributes that might allow 'javascript:' URLs. Some of |
|
| 164 |
* these are: <iframe>'s 'src' attributes (would normally execute js in URL upon |
|
| 165 |
* frame's load), <object>'s 'data' attribute (would also execute upon load) and |
|
| 166 |
* <a>'s 'href' attribute (would execute upon link click). |
|
| 167 |
*/ |
|
| 162 | 168 |
const bad_url_reg = /^data:([^,;]*ml|unknown-content-type)|^javascript:/i; |
| 163 | 169 |
function sanitize_element_urls(element) {
|
| 164 | 170 |
if (element.haketilo_sanitized_urls) |
| ... | ... | |
| 166 | 172 |
|
| 167 | 173 |
element.haketilo_sanitized_urls = true; |
| 168 | 174 |
|
| 175 |
let some_attr_blocked = false; |
|
| 176 |
|
|
| 169 | 177 |
for (const attr of [...element.attributes || []] |
| 170 | 178 |
.filter(attr => /^(href|src|data)$/i.test(attr.localName)) |
| 171 | 179 |
.filter(attr => bad_url_reg.test(attr.value))) {
|
| 180 |
/* |
|
| 181 |
* Under some browsers (Mozilla) removing attributes doesn't stop their |
|
| 182 |
* javascript from executing, but replacing them does. For 'src' and |
|
| 183 |
* 'data' I chose to replace the attribute with a 'data:' URL and have |
|
| 184 |
* it replace bad <iframe>'s/<object>'s contents with a "blocked" |
|
| 185 |
* string. For 'href' (which appears on <a>'s) I chose to use a |
|
| 186 |
* 'javascript:' URL to avoid having the page reloaded upon a link |
|
| 187 |
* click. |
|
| 188 |
*/ |
|
| 172 | 189 |
const replacement_value = /^href$/i.test(attr.localName) ? |
| 173 |
"javascript:void('blocked');" : "data:text/plain,blocked";
|
|
| 190 |
"javascript:void('blocked');" : "data:text/plain,blocked";
|
|
| 191 |
some_attr_blocked = true; |
|
| 174 | 192 |
block_attribute(element, attr.localName, attr.namespaceURI, |
| 175 |
replacement_value); |
|
| 193 |
replacement_value); |
|
| 194 |
} |
|
| 195 |
|
|
| 196 |
/* |
|
| 197 |
* Trial and error shows that under certain browsers additional element |
|
| 198 |
* removal and re-addition might be necessary to prevent execution of a |
|
| 199 |
* 'javascript:' URL (Parabola's Iceweasel 75 requires it for 'src' URL of |
|
| 200 |
* an <iframe>). |
|
| 201 |
*/ |
|
| 202 |
if (some_attr_blocked) {
|
|
| 203 |
const replacement_elem = document.createElement("a");
|
|
| 204 |
element.replaceWith(replacement_elem); |
|
| 205 |
replacement_elem.replaceWith(element); |
|
| 176 | 206 |
} |
| 177 | 207 |
} |
| 178 | 208 |
|
| ... | ... | |
| 189 | 219 |
continue; |
| 190 | 220 |
|
| 191 | 221 |
/* |
| 192 |
* Guard against redefined getter on DOM object property. This should |
|
| 193 |
* not be an issue */ |
|
| 222 |
* Guard against redefined getter on DOM object property. This is a |
|
| 223 |
* supplemental security measure since page's own scripts should be |
|
| 224 |
* blocked and unable to redefine properties, anyway. |
|
| 225 |
*/ |
|
| 194 | 226 |
if (Object.getOwnPropertyDescriptor(element.wrappedJSObject, attr)) {
|
| 195 | 227 |
console.error("Redefined property on a DOM object! The page might have bypassed our script blocking measures!");
|
| 196 | 228 |
continue; |
Also available in: Unified diff
support Parabola's Iceweasel in tests