Revision aacacbb8
Added by koszko over 1 year ago
| content/policy_enforcing.js | ||
|---|---|---|
| 271 | 271 |
} |
| 272 | 272 |
|
| 273 | 273 |
MOSanitizer.prototype.observe = function() {
|
| 274 |
this.mo.disconnect(); |
|
| 275 |
|
|
| 274 | 276 |
let elem = this.root; |
| 275 | 277 |
while (elem && !elem.haketilo_trusted_node) {
|
| 276 | 278 |
this.mo.observe(elem, {childList: true});
|
| ... | ... | |
| 284 | 286 |
this.recursively_sanitize(new_node); |
| 285 | 287 |
} |
| 286 | 288 |
|
| 287 |
this.mo.disconnect(); |
|
| 288 | 289 |
this.observe(); |
| 289 | 290 |
} |
| 290 | 291 |
|
| ... | ... | |
| 355 | 356 |
substitute_doc.addEventListener(...listener_args); |
| 356 | 357 |
|
| 357 | 358 |
wait_loaded(doc).then(() => doc.removeEventListener(...listener_args)); |
| 358 |
|
|
| 359 |
sanitize_tree_urls(doc.documentElement); |
|
| 360 |
sanitize_tree_onevent(doc.documentElement); |
|
| 361 | 359 |
#ENDIF |
| 362 | 360 |
|
| 363 |
if (!doc.content_loaded) {
|
|
| 364 |
const sanitizer = new MOSanitizer(doc.documentElement); |
|
| 365 |
sanitizer.start(); |
|
| 366 |
wait_loaded(doc).then(() => sanitizer.stop()); |
|
| 367 |
} |
|
| 368 |
|
|
| 369 | 361 |
/* |
| 370 | 362 |
* Ensure our CSP rules are employed from the beginning. This CSP injection |
| 371 | 363 |
* method is, when possible, going to be applied together with CSP rules |
| ... | ... | |
| 399 | 391 |
substitute_doc.documentElement.replaceWith(root); |
| 400 | 392 |
#ENDIF |
| 401 | 393 |
|
| 394 |
const sanitizer = new MOSanitizer(root); |
|
| 395 |
sanitizer.start(); |
|
| 396 |
wait_loaded(doc).then(() => sanitizer.stop()); |
|
| 397 |
|
|
| 402 | 398 |
/* |
| 403 | 399 |
* When we don't inject payload, we neither block document's CSP `<meta>' |
| 404 | 400 |
* tags nor wait for `<head>' to be parsed. |
| 405 | 401 |
*/ |
| 406 | 402 |
if (policy.payload) {
|
| 407 |
await wait_for_head(doc, root); |
|
| 403 |
if (doc instanceof HTMLDocument) |
|
| 404 |
await wait_for_head(doc, root); |
|
| 408 | 405 |
|
| 409 | 406 |
root.querySelectorAll("head meta")
|
| 410 | 407 |
.forEach(m => sanitize_meta(m, policy)); |
| test/haketilo_test/data/pages/scripts_to_block_2.xml | ||
|---|---|---|
| 30 | 30 |
|
| 31 | 31 |
<html:img xmlns:html="http://www.w3.org/1999/xhtml" |
| 32 | 32 |
src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==" |
| 33 |
onload="window.__run = [...(window.__run || []), 'melon'];console.log('delme melon')">
|
|
| 33 |
onload="window.__run = [...(window.__run || []), 'melon'];"> |
|
| 34 | 34 |
</html:img> |
| 35 | 35 |
|
| 36 | 36 |
<!-- Will execute --> |
| test/haketilo_test/unit/test_policy_enforcing.py | ||
|---|---|---|
| 144 | 144 |
def assert_properly_blocked(): |
| 145 | 145 |
click_all() |
| 146 | 146 |
|
| 147 |
try: |
|
| 148 |
assert set(driver.execute_script('return window.__run || [];')) == set()
|
|
| 149 |
except: |
|
| 150 |
from time import sleep |
|
| 151 |
sleep(100000) |
|
| 147 |
assert set(driver.execute_script('return window.__run || [];')) == set()
|
|
| 152 | 148 |
assert bool(csp_off_setting) == are_scripts_allowed(driver) |
| 153 | 149 |
|
| 154 | 150 |
# First, see if scripts run when not blocked. |
Also available in: Unified diff
improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)