Haketilo

/**

 * Myext main content script run in all frames

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT handle_page_actions

 * IMPORT url_item

 * IMPORT url_extract_target

 * IMPORT gen_unique

 * IMPORT csp_rule

 * IMPORT is_privileged_url

 * IMPORT sanitize_attributes

 * IMPORT script_suppressor

 * IMPORT is_chrome

 * IMPORT is_mozilla

 * IMPORT start_activity_info_server

 * IMPORTS_END

 */

/*

 * Due to some technical limitations the chosen method of whitelisting sites

 * is to smuggle whitelist indicator in page's url as a "magical" string

 * after '#'. Right now this is not needed in HTTP(s) pages where native

 * script blocking happens through CSP header injection but is needed for

 * protocols like ftp:// and file://.

 *

 * The code that actually injects the magical string into ftp:// and file://

 * urls has not yet been added to the extension.

 */

let url = url_item(document.URL);

let unique = gen_unique(url);

const suppressor = script_suppressor(unique);

function is_http()

{

    return !!/^https?:\/\//i.exec(document.URL);

}

function is_whitelisted()

{

    const parsed_url = url_extract_target(document.URL);

    if (parsed_url.target !== undefined &&

	parsed_url.target === '#' + unique) {

	if (parsed_url.target2 !== undefined)

	    window.location.href = parsed_url.base_url + parsed_url.target2;

	else

	    history.replaceState(null, "", parsed_url.base_url);

	return true;

    }

    return false;

}

function handle_mutation(mutations, observer)

{

    if (document.readyState === 'complete') {

	console.log("mutation handling complete");

	observer.disconnect();

	return;

    }

    for (const mutation of mutations) {

	for (const node of mutation.addedNodes)

	    block_node(node);

    }

}

function block_nodes_recursively(node)

{

    block_node(node);

    for (const child of node.children)

	block_nodes_recursively(child);

}

function block_node(node)

{

    /*

     * Modifying <script> element doesn't always prevent its

     * execution in some Mozilla browsers. Additional blocking

     * through CSP meta tag injection is required.

     */

    if (node.tagName === "SCRIPT") {

	block_script(node);

	return;

    }

    sanitize_attributes(node);

    if (node.tagName === "HEAD")

	inject_csp(node);

}

function block_script(node)

{

    /*

     * Disabling scripts this way allows them to still be relatively

     * easily accessed in case they contain some useful data.

     */

    if (node.hasAttribute("type"))

	node.setAttribute("blocked-type", node.getAttribute("type"));

    node.setAttribute("type", "application/json");

}

function inject_csp(head)

{

    console.log('injecting CSP');

    let meta = document.createElement("meta");

    meta.setAttribute("http-equiv", "Content-Security-Policy");

    meta.setAttribute("content", csp_rule(unique));

    if (head.firstElementChild === null)

	head.appendChild(meta);

    else

	head.insertBefore(meta, head.firstElementChild);

}

if (!is_privileged_url(document.URL)) {

    start_activity_info_server();

    handle_page_actions(unique);

    if (is_http()) {

	/* rely on CSP injected through webRequest */

    } else if (is_whitelisted()) {

	/* do not block scripts at all */

    } else {

	block_nodes_recursively(document.documentElement);

	if (is_chrome) {

	    var observer = new MutationObserver(handle_mutation);

	    observer.observe(document.documentElement, {

		attributes: true,

		childList: true,

		subtree: true

	    });

	}

	if (is_mozilla)

	    addEventListener('beforescriptexecute', suppressor, true);

    }

}