diff options
author | hackademix | 2020-03-18 22:51:07 +0100 |
---|---|---|
committer | hackademix | 2020-03-18 22:51:07 +0100 |
commit | 5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d (patch) | |
tree | d5c3242b8d7b11e365ec5f3fe033632f2a71a445 | |
parent | 9b3a12f9a3a7a12420b759475b1983f6d387a195 (diff) | |
download | noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.gz noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.tar.xz noscript-5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d.zip |
Prevent ANY redirection to data: URIs in documents.
-rw-r--r-- | src/bg/ReportingCSP.js | 6 | ||||
-rw-r--r-- | src/content/content.js | 11 | ||||
-rw-r--r-- | src/lib/CSP.js | 4 |
3 files changed, 16 insertions, 5 deletions
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js index 2da1bbc..e7ffe0a 100644 --- a/src/bg/ReportingCSP.js +++ b/src/bg/ReportingCSP.js @@ -35,11 +35,11 @@ function ReportingCSP(reportURI, reportGroup) { h.name === REPORT_TO.name && h.value === REPORT_TO.value) { needsReportTo = false; } else if (blocker && /^(Location|Refresh)$/i.test(h.name)) { + // neutralize any HTTP redirection to data: URLs, like Chromium let url = /^R/i.test(h.name) ? h.value.replace(/^[^,;]*[,;]url[^\w=]*=\s*/i, "") : h.value; - let patched = CSP.patchDataURI(url, blocker); - if (patched !== url) { - h.value = h.value.slice(0, -url.length) + patched; + if (/^data:/i.test(url)) { + h.value = h.value.slice(0, -url.length) + "data:"; } } } diff --git a/src/content/content.js b/src/content/content.js index 3862a58..43827a2 100644 --- a/src/content/content.js +++ b/src/content/content.js @@ -114,3 +114,14 @@ ns.on("capabilities", () => { ns.fetchPolicy(); notifyPage(); + +addEventListener("DOMContentLoaded", e => { + if (ns.canScript) return; + for (let m of document.querySelectorAll("meta[http-equiv=refresh]")) { + if (/^[^,;]*[,;]url[^\w=]*=\s*data:/.test(m.getAttribute("content"))) { + let url = m.getAttribute("content").replace(/.*?(?=data:)/, ""); + log(`Blocking refresh to ${url}`); + window.stop(); + } + } +}); diff --git a/src/lib/CSP.js b/src/lib/CSP.js index f5a2161..ad0afa2 100644 --- a/src/lib/CSP.js +++ b/src/lib/CSP.js @@ -22,7 +22,7 @@ class CSP { CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml"; CSP.headerName = "content-security-policy"; CSP.patchDataURI = (uri, blocker) => { - let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri); + let parts = /^data:(?:[^,;]*ml|unknown-content-type)(;[^,]*)?,/i.exec(uri); if (!(blocker && parts)) { // not an interesting data: URI, return as it is return uri; @@ -33,6 +33,6 @@ CSP.patchDataURI = (uri, blocker) => { } // It's a HTML/XML page, let's prepend our CSP blocker to the document let patch = parts[0] + encodeURIComponent( - `<meta http-equiv="${CSP.headerName}" content="${blocker}">`); + `<meta http-equiv="${CSP.headerName}" content="${blocker}"/>`); return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length); } |