Project

General

Profile

« Previous | Next » 

Revision 96068ada

Added by koszko almost 2 years ago

replace cookies with synchronous XmlHttpRequest as policy smuggling method.

Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.

View differences:

content/page_actions.js
12 12 
 * IMPORT CONNECTION_TYPE
13 13 
 * IMPORT browser
14 14 
 * IMPORT report_script
15 
 * IMPORT report_settings
16 15 
 * IMPORT report_document_type
17 16 
 * IMPORTS_END
18 17 
 */
19 18 

  		




  20
  
  
    
let policy_received_callback;


  		




  
  19
  
    
let policy;


  		




  21
  20
  
    
/* Snapshot url and content type early; these can be changed by other code. */


  		




  22
  21
  
    
let url;


  		




  23
  22
  
    
let is_html;


  		




  24
  23
  
    
let port;


  		




  25
  24
  
    
let loaded = false;


  		




  26
  25
  
    
let scripts_awaiting = [];


  		




  27
  
  
    
let nonce;


  		




  28
  26
  
    

  		




  29
  27
  
    
function handle_message(message)


  		




  30
  28
  
    
{


  		




  ......




  38
  36
  
    
		scripts_awaiting.push(script_text);


  		




  39
  37
  
    
	}


  		




  40
  38
  
    
    }


  		




  41
  
  
    
    if (action === "settings") {


  		




  42
  
  
    
	report_settings(data);


  		




  43
  
  
    
	policy_received_callback({url, allow: data[1].allow});


  		




  
  39
  
    
    else {


  		




  
  40
  
    
	console.error(`Bad page action '${action}'.`);


  		




  44
  41
  
    
    }


  		




  45
  42
  
    
}


  		




  46
  43
  
    

  		




  ......




  61
  58
  
    

  		




  62
  59
  
    
    let script = document.createElement("script");


  		




  63
  60
  
    
    script.textContent = script_text;


  		




  64
  
  
    
    script.setAttribute("nonce", nonce);


  		




  
  61
  
    
    script.setAttribute("nonce", policy.nonce);


  		




  65
  62
  
    
    script.haketilo_payload = true;


  		




  66
  63
  
    
    document.body.appendChild(script);


  		




  67
  64
  
    

  		




  68
  65
  
    
    report_script(script_text);


  		




  69
  66
  
    
}


  		




  70
  67
  
    

  		




  71
  
  
    
function handle_page_actions(script_nonce, policy_received_cb,


  		




  72
  
  
    
			     doc_ready_promise) {


  		




  73
  
  
    
    policy_received_callback = policy_received_cb;


  		




  
  68
  
    
function handle_page_actions(_policy, doc_ready_promise) {


  		




  
  69
  
    
    policy = _policy;


  		




  
  70
  
    

  		




  74
  71
  
    
    url = document.URL;


  		




  75
  72
  
    
    is_html = document instanceof HTMLDocument;


  		




  76
  73
  
    
    report_document_type(is_html);


  		




  77
  74
  
    

  		




  78
  75
  
    
    doc_ready_promise.then(document_ready);


  		




  79
  76
  
    

  		




  80
  
  
    
    port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});


  		




  81
  
  
    
    port.onMessage.addListener(handle_message);


  		




  82
  
  
    
    port.postMessage({url});


  		




  83
  
  
    

  		




  84
  
  
    
    nonce = script_nonce;


  		




  
  77
  
    
    if (policy.payload) {


  		




  
  78
  
    
	port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});


  		




  
  79
  
    
	port.onMessage.addListener(handle_message);


  		




  
  80
  
    
	port.postMessage({payload: policy.payload});


  		




  
  81
  
    
    }


  		




  85
  82
  
    
}


  		




  86
  83
  
    

  		




  87
  84
  
    
/*


  		












Also available in:  Unified diff