Haketilo

/**

 * Myext main content script run in all frames

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Redistribution terms are gathered in the `copyright' file.

 */

"use strict";

(() => {

    const handle_page_actions = window.handle_page_actions;

    const url_item = window.url_item;

    const gen_unique = window.gen_unique;

    /*

     * Due to some technical limitations the chosen method of whitelisting sites

     * is to smuggle whitelist indicator in page's url as a "magical" string

     * after '#'. Right now this is not needed in HTTP(s) pages where native

     * script blocking happens through CSP header injection but is needed for

     * protocols like ftp:// and file://.

     *

     * The code that actually injects the magical string into ftp:// and file://

     * urls has not yet been added to the extension.

     */

    let url = url_item(document.URL);

    let unique = gen_unique(url);

    let nonce = unique.substring(1);

    function needs_blocking()

    {

	if (url.startsWith("https://") || url.startsWith("http://"))

	    return false;

	let url_re = /^([^#]*)((#[^#]*)(#.*)?)?$/;

	let match = url_re.exec(document.URL);

	let base_url = match[1];

	let first_target = match[3];

	let second_target = match[4];

	if (first_target !== undefined &&

	    first_target === unique) {

	    if (second_target !== undefined)

		window.location.href = base_url + second_target;

	    else

		history.replaceState(null, "", base_url);

	    console.log(["allowing whitelisted", document.URL]);

	    return false;

	}

	console.log(["disallowing", document.URL]);

	return true;

    }

    function handle_mutation(mutations, observer)

    {

	if (document.readyState === 'complete') {

	    console.log("complete");

	    observer.disconnect();

	    return;

	}

	for (let mutation of mutations) {

	    for (let node of mutation.addedNodes) {

		/*

		 * Modifying <script> element doesn't always prevent its

		 * execution in some Mozilla browsers. Additional blocking

		 * through CSP meta tag injection is required.

		 */

		if (node.tagName === "SCRIPT") {

		    block_script(node);

		    continue;

		}

		sanitize_attributes(node);

		if (node.tagName === "HEAD")

		    inject_csp(node);

	    }

	}

    }

    function block_script(node)

    {

	console.log(node);

	/*

	 * Disabling scripts this way allows them to still be relatively

	 * easily accessed in case they contain some useful data.

	 */

	if (node.hasAttribute("type"))

	    node.setAttribute("blocked-type", node.getAttribute("type"));

	node.setAttribute("type", "application/json");

    }

    function inject_csp(node)

    {

	console.log('injecting CSP');

	let meta = document.createElement("meta");

	meta.setAttribute("http-equiv", "Content-Security-Policy");

	meta.setAttribute("content", `\

script-src 'nonce-${nonce}'; \

script-src-elem 'nonce-${nonce}';\

`);

	node.appendChild(meta);

    }

    function sanitize_attributes(node)

    {

	if (node.attributes === undefined)

	    return;

	/*

	 * We have to do it in 2 loops, removing attribute modifies

	 * our iterator

	 */

	let attr_names = [];

	for (let attr of node.attributes) {

	    let attr_name = attr.localName;

	    if (attr_name.startsWith("on"))

		attr_names.push(attr_name);

	}

	for (let attr_name of attr_names) {

	    node.removeAttribute(attr_name);

	    console.log("sanitized", attr_name);

	}

    }

    if (needs_blocking()) {

	var observer = new MutationObserver(handle_mutation);

	observer.observe(document.documentElement, {

	    attributes: true,

	    childList: true,

	    subtree: true

	});

    }

    handle_page_actions(nonce);

})();