Haketilo

/**

 * Myext main content script run in all frames

 *

 * Copyright (C) 2021 Wojtek Kosior

 * Copyright (C) 2021 jahoti

 * Redistribution terms are gathered in the `copyright' file.

 */

/*

 * IMPORTS_START

 * IMPORT handle_page_actions

 * IMPORT url_item

 * IMPORT url_extract_target

 * IMPORT url_extract_policy

 * IMPORT gen_unique

 * IMPORT gen_nonce

 * IMPORT csp_rule

 * IMPORT is_privileged_url

 * IMPORT sanitize_attributes

 * IMPORT mozilla_suppress_scripts

 * IMPORT is_chrome

 * IMPORT is_mozilla

 * IMPORT start_activity_info_server

 * IMPORTS_END

 */

/*

 * Due to some technical limitations the chosen method of whitelisting sites

 * is to smuggle whitelist indicator in page's url as a "magical" string

 * after '#'. Right now this is not needed in HTTP(s) pages where native

 * script blocking happens through CSP header injection but is needed for

 * protocols like ftp:// and file://.

 *

 * The code that actually injects the magical string into ftp:// and file://

 * urls has not yet been added to the extension.

 */

function handle_mutation(mutations, observer)

{

    if (document.readyState === 'complete') {

	console.log("mutation handling complete");

	observer.disconnect();

	return;

    }

    for (const mutation of mutations) {

	for (const node of mutation.addedNodes)

	    block_node(node);

    }

}

function block_nodes_recursively(node)

{

    block_node(node);

    for (const child of node.children)

	block_nodes_recursively(child);

}

function block_node(node)

{

    /*

     * Modifying <script> element doesn't always prevent its

     * execution in some Mozilla browsers. Additional blocking

     * through CSP meta tag injection is required.

     */

    if (node.tagName === "SCRIPT") {

	block_script(node);

	return;

    }

    sanitize_attributes(node);

    if (node.tagName === "HEAD")

	inject_csp(node);

}

function block_script(node)

{

    /*

     * Disabling scripts this way allows them to still be relatively

     * easily accessed in case they contain some useful data.

     */

    if (node.hasAttribute("type"))

	node.setAttribute("blocked-type", node.getAttribute("type"));

    node.setAttribute("type", "application/json");

}

function inject_csp(head)

{

    console.log('injecting CSP');

    let meta = document.createElement("meta");

    meta.setAttribute("http-equiv", "Content-Security-Policy");

    meta.setAttribute("content", csp_rule(nonce));

    if (head.firstElementChild === null)

	head.appendChild(meta);

    else

	head.insertBefore(meta, head.firstElementChild);

}

if (!is_privileged_url(document.URL)) {

    const targets = url_extract_policy(document.URL);

    if (targets.policy) {

	if (targets.target2 !== undefined)

	    window.location.href = targets.base_url + targets.target2;

	else

	    history.replaceState(null, "", targets.base_url);

    }

    targets.policy = targets.current ? targets.policy : {};

    const nonce = targets.policy.nonce || gen_nonce();

    start_activity_info_server();

    handle_page_actions(nonce);

    if (!targets.policy.allow) {

	block_nodes_recursively(document.documentElement);

	if (is_chrome) {

	    var observer = new MutationObserver(handle_mutation);

	    observer.observe(document.documentElement, {

		attributes: true,

		childList: true,

		subtree: true

	    });

	}

	if (is_mozilla)

	    addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);

    }

}