summaryrefslogtreecommitdiff
path: root/src/xss
diff options
context:
space:
mode:
authorhackademix2019-03-14 01:57:58 +0100
committerhackademix2019-03-14 01:57:58 +0100
commitd1dd278a81444e2203945fc213a4b69ed1ee49a7 (patch)
tree8d5324bfd690debdec3f126c68dd376991c94b25 /src/xss
parent3f2453053bd40102d9bc4eddd5f24759477cca43 (diff)
downloadnoscript-d1dd278a81444e2203945fc213a4b69ed1ee49a7.tar.gz
noscript-d1dd278a81444e2203945fc213a4b69ed1ee49a7.tar.xz
noscript-d1dd278a81444e2203945fc213a4b69ed1ee49a7.zip
Selective handling of Tor Browser options and work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
Diffstat (limited to 'src/xss')
-rw-r--r--src/xss/XSS.js18
1 files changed, 15 insertions, 3 deletions
diff --git a/src/xss/XSS.js b/src/xss/XSS.js
index f95ea04..b7bffce 100644
--- a/src/xss/XSS.js
+++ b/src/xss/XSS.js
@@ -114,6 +114,13 @@ var XSS = (() => {
return {
async start() {
let {onBeforeRequest} = browser.webRequest;
+ let {xssScanRequestBody} = ns.sync;
+ if (xssScanRequestBody !== this.xssScanRequestBody) {
+ this.stop();
+ this.xssScanRequestBody = xssScanRequestBody;
+ }
+ this.xssBlockUnscannedPOST = ns.sync.xssBlockUnscannedPOST;
+
if (onBeforeRequest.hasListener(requestListener)) return;
await include("/legacy/Legacy.js");
@@ -135,7 +142,9 @@ var XSS = (() => {
onBeforeRequest.addListener(requestListener, {
urls: ["*://*/*"],
types: ["main_frame", "sub_frame", "object"]
- }, ["blocking", "requestBody"]);
+ },
+ // work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
+ xssScanRequestBody ? ["blocking", "requestBody"] : ["blocking"]);
},
stop() {
@@ -233,8 +242,11 @@ var XSS = (() => {
ic.reset();
let postInjection = xssReq.isPost &&
- request.requestBody && request.requestBody.formData &&
- ic.checkPost(request.requestBody.formData, skipParams);
+ (XSS.xssScanRequestBody ?
+ request.requestBody && request.requestBody.formData &&
+ ic.checkPost(request.requestBody.formData, skipParams)
+ : XSS.xssBlockUnscannedPOST && ns.requestCan(request, "script") && _("UnscannedXPost")
+ );
let protectName = ic.nameAssignment;
let urlInjection = ic.checkUrl(destUrl, skipRx);