Project

General

Profile

« Previous | Next » 

Revision edbbe400

Added by jahoti about 2 years ago

License script-blocking techniques from NoScript in machine-readable format.

In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML
data: urls should be refined (eventually) to align with current practice for
pages in general.

Also, script-blocking is now filtered by nonce, making it possible (albeit
perhaps not desirable) to inject scripts before the DOM is complete.

View differences:

content/main.js
11 11 
    const handle_page_actions = window.handle_page_actions;
12 12 
    const url_item = window.url_item;
13 13 
    const gen_unique = window.gen_unique;
14 
    const sanitize_attributes = window.sanitize_attributes;
14 15 

  		




  15
  16
  
    
    /*


  		




  16
  17
  
    
     * Due to some technical limitations the chosen method of whitelisting sites


  		




  ......




  26
  27
  
    
    let url = url_item(document.URL);


  		




  27
  28
  
    
    let unique = gen_unique(url);


  		




  28
  29
  
    
    let nonce = unique.substring(1);


  		




  
  30
  
    
    


  		




  
  31
  
    
    const scriptSuppressor = window.scriptSuppressor(nonce);


  		




  29
  32
  
    

  		




  30
  33
  
    
    function needs_blocking()


  		




  31
  34
  
    
    {


  		




  ......




  105
  108
  
    
	node.appendChild(meta);


  		




  106
  109
  
    
    }


  		




  107
  110
  
    

  		




  108
  
  
    
    function sanitize_attributes(node)


  		




  109
  
  
    
    {


  		




  110
  
  
    
	if (node.attributes === undefined)


  		




  111
  
  
    
	    return;


  		




  112
  
  
    

  		




  113
  
  
    
	/*


  		




  114
  
  
    
	 * We have to do it in 2 loops, removing attribute modifies


  		




  115
  
  
    
	 * our iterator


  		




  116
  
  
    
	 */


  		




  117
  
  
    
	let attr_names = [];


  		




  118
  
  
    
	for (let attr of node.attributes) {


  		




  119
  
  
    
	    let attr_name = attr.localName;


  		




  120
  
  
    
	    if (attr_name.startsWith("on"))


  		




  121
  
  
    
		attr_names.push(attr_name);


  		




  122
  
  
    
	}


  		




  123
  
  
    

  		




  124
  
  
    
	for (let attr_name of attr_names) {


  		




  125
  
  
    
	    node.removeAttribute(attr_name);


  		




  126
  
  
    
	    console.log("sanitized", attr_name);


  		




  127
  
  
    
	}


  		




  128
  
  
    
    }


  		




  129
  
  
    

  		




  130
  111
  
    
    if (needs_blocking()) {


  		




  
  112
  
    
	// Script blocking for Gecko


  		




  
  113
  
    
	addEventListener('beforescriptexecute', scriptSuppressor, true);


  		




  
  114
  
    
	


  		




  131
  115
  
    
	var observer = new MutationObserver(handle_mutation);


  		




  132
  116
  
    
	observer.observe(document.documentElement, {


  		




  133
  117
  
    
	    attributes: true,


  		












Also available in:  Unified diff