Disable scripting in HTML-embedding objects where webglHook cannot run, if webgl not allowed.

author: hackademix 2018-07-26 23:23:11 +0200
committer: hackademix 2018-07-26 23:48:20 +0200
commit: 21810063d0851fb88623d0458fa4fc2cd054b0db (patch)
tree: 1fb30dd82c8c82e4cd9e9dd717efcc2b3131b224 /src/bg/RequestGuard.js
parent: 4e62643b33e0f3a7653ae94cda34c7d6ace52097 (diff)
download: noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.gz
noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.xz
noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.zip
1 files changed, 12 insertions, 3 deletions
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
index 5a281fb..d13bf4b 100644
--- a/src/bg/RequestGuard.js
+++ b/src/bg/RequestGuard.js
@@ -390,8 +390,17 @@ var RequestGuard = (() => {
           if (policy.autoAllowTop && request.type === "main_frame" && perms === policy.DEFAULT) {
             policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
           }
-
+          
           let {capabilities} = perms;
+          let isObject = request.type === "object";
+          if (isObject && !capabilities.has("webgl")) { // we can't inject webglHook
+            debug("Disabling scripts in object %s to prevent webgl abuse", url);
+            capabilities = new Set(capabilities);
+            capabilities.delete("script");
+            let r = Object.assign({}, request, {type: "webgl"});
+            TabStatus.record(r, "blocked");
+            Content.reportTo(r, false, "webgl");
+          }
           let canScript = capabilities.has("script");
 
           let blockedTypes;
@@ -419,7 +428,7 @@ var RequestGuard = (() => {
             blocker = CSP.createBlocker(...blockedTypes);
           }
 
-          if (canScript) {
+          if (canScript && !isObject) {
             if (!capabilities.has("webgl")) {
                RequestUtil.executeOnStart(request, {
                 file: "/content/webglHook.js"
@@ -427,7 +436,7 @@ var RequestGuard = (() => {
             }
             if (!capabilities.has("media")) {
               RequestUtil.executeOnStart(request, {
-                code: "window.mediaBlocker = correctFrame();"
+                code: "window.mediaBlocker = true;"
               });
             }
author	hackademix	2018-07-26 23:23:11 +0200
committer	hackademix	2018-07-26 23:48:20 +0200
commit	21810063d0851fb88623d0458fa4fc2cd054b0db (patch)
tree	1fb30dd82c8c82e4cd9e9dd717efcc2b3131b224 /src/bg/RequestGuard.js
parent	4e62643b33e0f3a7653ae94cda34c7d6ace52097 (diff)
download	noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.gz noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.xz noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.zip