Revision edbbe400
Added by jahoti about 2 years ago
content/main.js | ||
---|---|---|
11 | 11 |
const handle_page_actions = window.handle_page_actions; |
12 | 12 |
const url_item = window.url_item; |
13 | 13 |
const gen_unique = window.gen_unique; |
14 |
const sanitize_attributes = window.sanitize_attributes; |
|
14 | 15 |
|
15 | 16 |
/* |
16 | 17 |
* Due to some technical limitations the chosen method of whitelisting sites |
... | ... | |
26 | 27 |
let url = url_item(document.URL); |
27 | 28 |
let unique = gen_unique(url); |
28 | 29 |
let nonce = unique.substring(1); |
30 |
|
|
31 |
const scriptSuppressor = window.scriptSuppressor(nonce); |
|
29 | 32 |
|
30 | 33 |
function needs_blocking() |
31 | 34 |
{ |
... | ... | |
105 | 108 |
node.appendChild(meta); |
106 | 109 |
} |
107 | 110 |
|
108 |
function sanitize_attributes(node) |
|
109 |
{ |
|
110 |
if (node.attributes === undefined) |
|
111 |
return; |
|
112 |
|
|
113 |
/* |
|
114 |
* We have to do it in 2 loops, removing attribute modifies |
|
115 |
* our iterator |
|
116 |
*/ |
|
117 |
let attr_names = []; |
|
118 |
for (let attr of node.attributes) { |
|
119 |
let attr_name = attr.localName; |
|
120 |
if (attr_name.startsWith("on")) |
|
121 |
attr_names.push(attr_name); |
|
122 |
} |
|
123 |
|
|
124 |
for (let attr_name of attr_names) { |
|
125 |
node.removeAttribute(attr_name); |
|
126 |
console.log("sanitized", attr_name); |
|
127 |
} |
|
128 |
} |
|
129 |
|
|
130 | 111 |
if (needs_blocking()) { |
112 |
// Script blocking for Gecko |
|
113 |
addEventListener('beforescriptexecute', scriptSuppressor, true); |
|
114 |
|
|
131 | 115 |
var observer = new MutationObserver(handle_mutation); |
132 | 116 |
observer.observe(document.documentElement, { |
133 | 117 |
attributes: true, |
Also available in: Unified diff
License script-blocking techniques from NoScript in machine-readable format.
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly
blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML
data: urls should be refined (eventually) to align with current practice for
pages in general.
Also, script-blocking is now filtered by nonce, making it possible (albeit
perhaps not desirable) to inject scripts before the DOM is complete.