summaryrefslogtreecommitdiff
path: root/src/xss/Exceptions.js
diff options
context:
space:
mode:
authorhackademix2018-07-01 01:01:23 +0200
committerhackademix2018-07-01 01:01:23 +0200
commiteceae7187a6f0e9510bc1165f6977256b87f490f (patch)
treed943f1ec73c09efa70954dcedb55eac82a726148 /src/xss/Exceptions.js
downloadnoscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.gz
noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.xz
noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.zip
Initial commit starting at version 10.1.8.3rc4.
Diffstat (limited to 'src/xss/Exceptions.js')
-rw-r--r--src/xss/Exceptions.js238
1 files changed, 238 insertions, 0 deletions
diff --git a/src/xss/Exceptions.js b/src/xss/Exceptions.js
new file mode 100644
index 0000000..4e80c39
--- /dev/null
+++ b/src/xss/Exceptions.js
@@ -0,0 +1,238 @@
+'use strict';
+
+XSS.Exceptions = (() => {
+
+ var Exceptions = {
+ get legacyExceptions() {
+ delete this.legacyExceptions;
+ this.legacyExceptions =
+ Legacy.getRxPref("filterXExceptions",
+ Legacy.RX.multi, "g", /^https?:[a-z:/@.?-]*$/i);
+ return this.legacyExceptions;
+ },
+
+ async getWhitelist() {
+ return (await Storage.get("sync", "xssWhitelist")).xssWhitelist;
+ },
+ async setWhitelist(xssWhitelist) {
+ await Storage.set("sync", {xssWhitelist});
+ },
+
+ async shouldIgnore(xssReq) {
+ function logEx(...args) {
+ debug("[XSS preprocessing] Ignoring %o", xssReq, ...args);
+ }
+
+ let {
+ srcObj,
+ destObj,
+ srcUrl,
+ destUrl,
+ srcOrigin,
+ destOrigin,
+ unescapedDest,
+ isGet,
+ isPost
+ } = xssReq;
+
+ // same srcUrl
+ if (srcOrigin === destOrigin) {
+ return true;
+ }
+
+ // same domain + https: source
+ if (/^https:/.test(srcOrigin) && xssReq.srcDomain === xssReq.destDomain) {
+ return true;
+ }
+
+ if (/^(?:chrome|resource|moz-extension|about):/.test(srcOrigin)) {
+ debug("Privileged origin", srcOrigin);
+ }
+
+ // destination or @source matching legacy regexp
+ if (this.legacyExceptions.test(unescapedDest) &&
+ !this.isBadException(destObj.hostname) ||
+ this.legacyExceptions.test("@" + unescape(srcUrl))) {
+ logEx("Legacy exception", this.legacyExceptions);
+ return true;
+ }
+
+ if (!srcObj && isGet) {
+ if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) {
+ return true; // MSDN from Microsoft VS
+ }
+ }
+
+ if (srcOrigin) { // srcUrl-specific exceptions
+
+ if (/^about:(?!blank)/.test(srcOrigin))
+ return true; // any about: URL except about:blank
+
+ if (srcOrigin === "https://www.youtube.com" &&
+ /^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.yt_comments")
+ ) {
+ logEx("YouTube comments exception");
+ return true;
+ }
+
+ if (isPost) {
+
+ if (srcOrigin === "https://sso.post.ch" && destOrigin === "https://app.swisspost.ch") {
+ return true;
+ }
+
+ if (srcOrigin === "https://twitter.com" && /^https:\/\/.*\.twitter\.com$/.test(destOrigin)) {
+ return true;
+ }
+
+ {
+ let rx = /^https:\/\/(?:[a-z]+\.)?unionbank\.com$/;
+ if (rx.test(srcOrigin) && rx.test(destOrigin)) {
+ return true;
+ }
+ }
+
+ if (/^https?:\/\/csr\.ebay\.(?:\w{2,3}|co\.uk)\/cse\/start\.jsf$/.test(srcUrl) &&
+ /^https?:\/\/msa-lfn\.ebay\.(?:\w{2,3}|co\.uk)\/ws\/eBayISAPI\.dll\?[^<'"%]*$/.test(unescapedDest) &&
+ destObj.protocol === srcObj.protocol &&
+ Legacy.getPref("filterXException.ebay")) {
+ logEx("Ebay exception");
+ return true;
+ }
+
+ if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.(?:l[tv]|com))$/.test(srcUrl) &&
+ Legacy.getPref("filterXException.visa")) {
+ logEx("Verified by Visa exception");
+ return true;
+ }
+
+ if (/\.verizon\.com$/.test(srcOrigin) &&
+ /^https:\/\/signin\.verizon\.com\/sso\/authsso\/forumLogin\.jsp$/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.verizon")) {
+ logEx("Verizon login exception");
+ return true;
+ }
+
+ if (/^https?:\/\/mail\.lycos\.com\/lycos\/mail\/MailCompose\.lycos$/.test(srcUrl) &&
+ /\.lycosmail\.lycos\.com$/.test(destOrigin) &&
+ Legacy.getPref("filterXExceptions.lycosmail")) {
+ logEx("Lycos Mail exception");
+ return true;
+ }
+
+ if (/\.livejournal\.com$/.test(srcOrigin) &&
+ /^https?:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.livejournal")) {
+ logEx("Livejournal comments exception");
+ return true;
+ }
+
+ if (srcOrigin == "https://ssl.rapidshare.com" &&
+ xssReq.srcDomain == "rapidshare.com") {
+ logEx("Rapidshare upload exception");
+ return true;
+ }
+
+ if (srcOrigin == "http://wm.letitbit.net" &&
+ /^http:\/\/http\.letitbit\.net:81\/cgi-bin\/multi\/upload\.cgi\?/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.letitibit")
+ ) {
+ logEx("letitbit.net upload exception");
+ return true;
+ }
+
+ if (/\.deviantart\.com$/.test(srcOrigin) &&
+ /^http:\/\/my\.deviantart\.com\/journal\/update\b/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.deviantart")
+ ) {
+ logEx("deviantart.com journal post exception");
+ return true;
+ }
+
+ if (srcOrigin == "https://www.mymedicare.gov" &&
+ destOrigin == "https://myporal.medicare.gov" &&
+ Legacy.getPref("filterXExceptions.medicare")
+ ) {
+ logEx("mymedicare.gov exception");
+ return true;
+ }
+
+ if (/^https?:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
+ /^https?:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.blogspot")
+ ) {
+ logEx("blogspot.com template preview exception");
+ return true;
+ }
+
+ if (/^https?:\/\/www\.readability\.com\/articles\/queue$/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.readability")) {
+ logEx("Readability exception");
+ return true;
+ }
+
+ if (/^https?:\/\/pdf\.printfriendly\.com\/pdfs\/make$/.test(destUrl) &&
+ Legacy.getPref("filterXExceptions.printfriendly")) {
+ logEx("Printfriendly exception");
+ return true;
+ }
+ }
+ }
+ },
+
+ isBadException(host) {
+ // TLD check for Google search
+ let m = host.match(/\bgoogle\.((?:[a-z]{1,3}\.)?[a-z]+)$/i);
+ return m && tld.getPublicSuffix(host) != m[1];
+ },
+
+ partial(xssReq) {
+ let {
+ srcObj,
+ destObj,
+ srcUrl,
+ destUrl,
+ srcOrigin,
+ destOrigin,
+ } = xssReq;
+
+ let skipParams, skipRx;
+ if (/^https:\/\/www\.paypal\.com\/(?:[\w\-]+\/)?cgi-bin\/webscr\b/.test(destUrl)) {
+ // Paypal buttons encrypted parameter causes a DOS, strip it out
+ skipParams = ['encrypted'];
+ } else if (/\.adnxs\.com$/.test(srcOrigin) && /\.adnxs\.com$/.test(destOrigin)) {
+ skipParams = ['udj'];
+ } else if (/^https?:\/\/www\.mendeley\.com\/import\/bookmarklet\/$/.test(destUrl)) {
+ skipParams = ['html'];
+ } else if (destObj.hash && /^https:/.test(srcOrigin) &&
+ (/^https?:\/\/api\.facebook\.com\//.test(srcUrl) ||
+ /^https:\/\/tbpl\.mozilla\.org\//.test(srcUrl) || // work-around for hg reftest DOS
+ /^https:\/\/[^\/]+\.googleusercontent\.com\/gadgets\/ifr\?/.test(destUrl) // Google gadgets
+ )) {
+ skipRx = /#[^#]+$/; // remove receiver's hash
+ } else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl) && Legacy.getPref("filterXExceptions.fbconnect")) {
+ skipRx = /&invite_url=javascript[^&]+/; // Zynga stuff
+ } else if (/^https?:\/\/l\.yimg\.com\/j\/static\/frame\?e=/.test(destUrl) &&
+ /\.yahoo\.com$/.test(srcOrigin) &&
+ Legacy.getPref("filterXExceptions.yahoo")) {
+ skipParams = ['e'];
+ } else if (/^https?:\/\/wpcomwidgets\.com\/\?/.test(destUrl)) {
+ skipParams = ["_data"];
+ } else if (/^https:\/\/docs\.google\.com\/picker\?/.test(destUrl)) {
+ skipParams = ["nav", "pp"];
+ } else if (/^https:\/\/.*[\?&]scope=/.test(destUrl)) {
+ skipRx = /[\?&]scope=[+\w]+(?=&|$)/;
+ }
+ if (skipParams) {
+ skipRx = new RegExp("(?:^|[&?])(?:" + skipParams.join('|') + ")=[^&]+", "g");
+ }
+ return {
+ skipParams,
+ skipRx
+ };
+ }
+
+ };
+ return Exceptions;
+})();
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 08:19:59 +0000