Revision aacacbb8
Added by koszko over 1 year ago
content/policy_enforcing.js | ||
---|---|---|
271 | 271 |
} |
272 | 272 |
|
273 | 273 |
MOSanitizer.prototype.observe = function() { |
274 |
this.mo.disconnect(); |
|
275 |
|
|
274 | 276 |
let elem = this.root; |
275 | 277 |
while (elem && !elem.haketilo_trusted_node) { |
276 | 278 |
this.mo.observe(elem, {childList: true}); |
... | ... | |
284 | 286 |
this.recursively_sanitize(new_node); |
285 | 287 |
} |
286 | 288 |
|
287 |
this.mo.disconnect(); |
|
288 | 289 |
this.observe(); |
289 | 290 |
} |
290 | 291 |
|
... | ... | |
355 | 356 |
substitute_doc.addEventListener(...listener_args); |
356 | 357 |
|
357 | 358 |
wait_loaded(doc).then(() => doc.removeEventListener(...listener_args)); |
358 |
|
|
359 |
sanitize_tree_urls(doc.documentElement); |
|
360 |
sanitize_tree_onevent(doc.documentElement); |
|
361 | 359 |
#ENDIF |
362 | 360 |
|
363 |
if (!doc.content_loaded) { |
|
364 |
const sanitizer = new MOSanitizer(doc.documentElement); |
|
365 |
sanitizer.start(); |
|
366 |
wait_loaded(doc).then(() => sanitizer.stop()); |
|
367 |
} |
|
368 |
|
|
369 | 361 |
/* |
370 | 362 |
* Ensure our CSP rules are employed from the beginning. This CSP injection |
371 | 363 |
* method is, when possible, going to be applied together with CSP rules |
... | ... | |
399 | 391 |
substitute_doc.documentElement.replaceWith(root); |
400 | 392 |
#ENDIF |
401 | 393 |
|
394 |
const sanitizer = new MOSanitizer(root); |
|
395 |
sanitizer.start(); |
|
396 |
wait_loaded(doc).then(() => sanitizer.stop()); |
|
397 |
|
|
402 | 398 |
/* |
403 | 399 |
* When we don't inject payload, we neither block document's CSP `<meta>' |
404 | 400 |
* tags nor wait for `<head>' to be parsed. |
405 | 401 |
*/ |
406 | 402 |
if (policy.payload) { |
407 |
await wait_for_head(doc, root); |
|
403 |
if (doc instanceof HTMLDocument) |
|
404 |
await wait_for_head(doc, root); |
|
408 | 405 |
|
409 | 406 |
root.querySelectorAll("head meta") |
410 | 407 |
.forEach(m => sanitize_meta(m, policy)); |
Also available in: Unified diff
improvement to also properly sanitize intrinsics in XML documents under older browsers (IceCat 60)