Project

General

Profile

« Previous | Next » 

Revision aacacbb8

Added by koszko over 1 year ago

improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)

View differences:

content/policy_enforcing.js
271 271 
}
272 272 

  		




  273
  273
  
    
MOSanitizer.prototype.observe = function() {


  		




  
  274
  
    
    this.mo.disconnect();


  		




  
  275
  
    

  		




  274
  276
  
    
    let elem = this.root;


  		




  275
  277
  
    
    while (elem && !elem.haketilo_trusted_node) {


  		




  276
  278
  
    
	this.mo.observe(elem, {childList: true});


  		




  ......




  284
  286
  
    
	    this.recursively_sanitize(new_node);


  		




  285
  287
  
    
    }


  		




  286
  288
  
    

  		




  287
  
  
    
    this.mo.disconnect();


  		




  288
  289
  
    
    this.observe();


  		




  289
  290
  
    
}


  		




  290
  291
  
    

  		




  ......




  355
  356
  
    
    substitute_doc.addEventListener(...listener_args);


  		




  356
  357
  
    

  		




  357
  358
  
    
    wait_loaded(doc).then(() => doc.removeEventListener(...listener_args));


  		




  358
  
  
    

  		




  359
  
  
    
    sanitize_tree_urls(doc.documentElement);


  		




  360
  
  
    
    sanitize_tree_onevent(doc.documentElement);


  		




  361
  359
  
    
#ENDIF


  		




  362
  360
  
    

  		




  363
  
  
    
    if (!doc.content_loaded) {


  		




  364
  
  
    
	const sanitizer = new MOSanitizer(doc.documentElement);


  		




  365
  
  
    
	sanitizer.start();


  		




  366
  
  
    
	wait_loaded(doc).then(() => sanitizer.stop());


  		




  367
  
  
    
    }


  		




  368
  
  
    

  		




  369
  361
  
    
    /*


  		




  370
  362
  
    
     * Ensure our CSP rules are employed from the beginning. This CSP injection


  		




  371
  363
  
    
     * method is, when possible, going to be applied together with CSP rules


  		




  ......




  399
  391
  
    
    substitute_doc.documentElement.replaceWith(root);


  		




  400
  392
  
    
#ENDIF


  		




  401
  393
  
    

  		




  
  394
  
    
    const sanitizer = new MOSanitizer(root);


  		




  
  395
  
    
    sanitizer.start();


  		




  
  396
  
    
    wait_loaded(doc).then(() => sanitizer.stop());


  		




  
  397
  
    

  		




  402
  398
  
    
    /*


  		




  403
  399
  
    
     * When we don't inject payload, we neither block document's CSP `<meta>'


  		




  404
  400
  
    
     * tags nor wait for `<head>' to be parsed.


  		




  405
  401
  
    
     */


  		




  406
  402
  
    
    if (policy.payload) {


  		




  407
  
  
    
	await wait_for_head(doc, root);


  		




  
  403
  
    
	if (doc instanceof HTMLDocument)


  		




  
  404
  
    
	    await wait_for_head(doc, root);


  		




  408
  405
  
    

  		




  409
  406
  
    
	root.querySelectorAll("head meta")


  		




  410
  407
  
    
	    .forEach(m => sanitize_meta(m, policy));


  		












Also available in:  Unified diff