Revision e6fca496
Added by koszko about 1 year ago
| content/policy_enforcing.js | ||
|---|---|---|
| 162 | 162 |
delete script.haketilo_blocked_type; |
| 163 | 163 |
} |
| 164 | 164 |
|
| 165 |
/* The following will only be run on pages without payload. */ |
|
| 166 |
function force_noscript_tag(element) {
|
|
| 167 |
if (element.tagName !== "NOSCRIPT") |
|
| 168 |
return; |
|
| 169 |
|
|
| 170 |
let under_head = false; |
|
| 171 |
let ancestor = element; |
|
| 172 |
while (true) {
|
|
| 173 |
ancestor = ancestor.parentElement; |
|
| 174 |
|
|
| 175 |
if (ancestor === null) |
|
| 176 |
break; |
|
| 177 |
|
|
| 178 |
if (ancestor === document.head) {
|
|
| 179 |
under_head = true; |
|
| 180 |
break; |
|
| 181 |
} |
|
| 182 |
} |
|
| 183 |
|
|
| 184 |
const replacement = document.createElement('haketilo-noscript');
|
|
| 185 |
replacement.innerHTML = element.innerHTML; |
|
| 186 |
|
|
| 187 |
for (const script of [...replacement.querySelectorAll('script')])
|
|
| 188 |
script.remove(); |
|
| 189 |
|
|
| 190 |
if (under_head) {
|
|
| 191 |
for (const child of replacement.childNodes) |
|
| 192 |
element.before(child); |
|
| 193 |
|
|
| 194 |
element.remove(); |
|
| 195 |
} else {
|
|
| 196 |
element.replaceWith(replacement); |
|
| 197 |
} |
|
| 198 |
} |
|
| 199 |
|
|
| 165 | 200 |
/* |
| 166 | 201 |
* Blocking certain attributes that might allow 'javascript:' URLs. Some of |
| 167 | 202 |
* these are: <iframe>'s 'src' attributes (would normally execute js in URL upon |
| ... | ... | |
| 254 | 289 |
#ENDIF |
| 255 | 290 |
|
| 256 | 291 |
/* |
| 257 |
* Sanitize elements on-the-fly as they appear using MutationObserver. |
|
| 292 |
* Sanitize elements on-the-fly and force <noscript> tags visible as they appear |
|
| 293 |
* using MutationObserver. |
|
| 258 | 294 |
* |
| 259 | 295 |
* Under Abrowser 97 it was observed that MutationObserver does not always work |
| 260 | 296 |
* as is should. When trying to observe nodes of an XMLDocument the behavior was |
| ... | ... | |
| 262 | 298 |
* around this we avoid using the "subtree" option altogether and have the same |
| 263 | 299 |
* code work in all scenarios. |
| 264 | 300 |
*/ |
| 265 |
function MOSanitizer(root) {
|
|
| 266 |
this.root = root; |
|
| 301 |
function MOSanitizer(root, payload_present) {
|
|
| 302 |
this.root = root; |
|
| 303 |
this.payload_present = payload_present; |
|
| 267 | 304 |
|
| 268 | 305 |
this.recursively_sanitize(root); |
| 269 | 306 |
|
| ... | ... | |
| 305 | 342 |
#IF MOZILLA |
| 306 | 343 |
sanitize_element_onevent(current_elem); |
| 307 | 344 |
#ENDIF |
| 345 |
if (!this.payload_present) |
|
| 346 |
force_noscript_tag(current_elem); |
|
| 308 | 347 |
} |
| 309 | 348 |
} |
| 310 | 349 |
|
| ... | ... | |
| 391 | 430 |
substitute_doc.documentElement.replaceWith(root); |
| 392 | 431 |
#ENDIF |
| 393 | 432 |
|
| 394 |
const sanitizer = new MOSanitizer(root); |
|
| 433 |
const sanitizer = new MOSanitizer(root, !!policy.payload);
|
|
| 395 | 434 |
sanitizer.start(); |
| 396 | 435 |
wait_loaded(doc).then(() => sanitizer.stop()); |
| 397 | 436 |
|
Also available in: Unified diff
force tags