Project

General

Profile

« Previous | Next » 

Revision aacacbb8

Added by koszko over 1 year ago

improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)

View differences:

content/policy_enforcing.js
271 271
}
272 272

  
273 273
MOSanitizer.prototype.observe = function() {
274
    this.mo.disconnect();
275

  
274 276
    let elem = this.root;
275 277
    while (elem && !elem.haketilo_trusted_node) {
276 278
	this.mo.observe(elem, {childList: true});
......
284 286
	    this.recursively_sanitize(new_node);
285 287
    }
286 288

  
287
    this.mo.disconnect();
288 289
    this.observe();
289 290
}
290 291

  
......
355 356
    substitute_doc.addEventListener(...listener_args);
356 357

  
357 358
    wait_loaded(doc).then(() => doc.removeEventListener(...listener_args));
358

  
359
    sanitize_tree_urls(doc.documentElement);
360
    sanitize_tree_onevent(doc.documentElement);
361 359
#ENDIF
362 360

  
363
    if (!doc.content_loaded) {
364
	const sanitizer = new MOSanitizer(doc.documentElement);
365
	sanitizer.start();
366
	wait_loaded(doc).then(() => sanitizer.stop());
367
    }
368

  
369 361
    /*
370 362
     * Ensure our CSP rules are employed from the beginning. This CSP injection
371 363
     * method is, when possible, going to be applied together with CSP rules
......
399 391
    substitute_doc.documentElement.replaceWith(root);
400 392
#ENDIF
401 393

  
394
    const sanitizer = new MOSanitizer(root);
395
    sanitizer.start();
396
    wait_loaded(doc).then(() => sanitizer.stop());
397

  
402 398
    /*
403 399
     * When we don't inject payload, we neither block document's CSP `<meta>'
404 400
     * tags nor wait for `<head>' to be parsed.
405 401
     */
406 402
    if (policy.payload) {
407
	await wait_for_head(doc, root);
403
	if (doc instanceof HTMLDocument)
404
	    await wait_for_head(doc, root);
408 405

  
409 406
	root.querySelectorAll("head meta")
410 407
	    .forEach(m => sanitize_meta(m, policy));
test/haketilo_test/data/pages/scripts_to_block_2.xml
30 30

  
31 31
  <html:img xmlns:html="http://www.w3.org/1999/xhtml"
32 32
	    src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg=="
33
	    onload="window.__run = [...(window.__run || []), 'melon'];console.log('delme melon')">
33
	    onload="window.__run = [...(window.__run || []), 'melon'];">
34 34
  </html:img>
35 35

  
36 36
  <!-- Will execute -->
test/haketilo_test/unit/test_policy_enforcing.py
144 144
    def assert_properly_blocked():
145 145
        click_all()
146 146

  
147
        try:
148
            assert set(driver.execute_script('return window.__run || [];')) == set()
149
        except:
150
            from time import sleep
151
            sleep(100000)
147
        assert set(driver.execute_script('return window.__run || [];')) == set()
152 148
        assert bool(csp_off_setting) == are_scripts_allowed(driver)
153 149

  
154 150
    # First, see if scripts run when not blocked.

Also available in: Unified diff