summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorhackademix2018-07-26 23:23:11 +0200
committerhackademix2018-07-26 23:48:20 +0200
commit21810063d0851fb88623d0458fa4fc2cd054b0db (patch)
tree1fb30dd82c8c82e4cd9e9dd717efcc2b3131b224 /src
parent4e62643b33e0f3a7653ae94cda34c7d6ace52097 (diff)
downloadnoscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.gz
noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.tar.xz
noscript-21810063d0851fb88623d0458fa4fc2cd054b0db.zip
Disable scripting in HTML-embedding objects where webglHook cannot run, if webgl not allowed.
Diffstat (limited to 'src')
-rw-r--r--src/bg/RequestGuard.js15
-rw-r--r--src/bg/RequestUtil.js12
-rw-r--r--src/content/content.js4
-rw-r--r--src/content/media.js2
-rw-r--r--src/content/webglHook.js2
5 files changed, 20 insertions, 15 deletions
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
index 5a281fb..d13bf4b 100644
--- a/src/bg/RequestGuard.js
+++ b/src/bg/RequestGuard.js
@@ -390,8 +390,17 @@ var RequestGuard = (() => {
if (policy.autoAllowTop && request.type === "main_frame" && perms === policy.DEFAULT) {
policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
}
-
+
let {capabilities} = perms;
+ let isObject = request.type === "object";
+ if (isObject && !capabilities.has("webgl")) { // we can't inject webglHook
+ debug("Disabling scripts in object %s to prevent webgl abuse", url);
+ capabilities = new Set(capabilities);
+ capabilities.delete("script");
+ let r = Object.assign({}, request, {type: "webgl"});
+ TabStatus.record(r, "blocked");
+ Content.reportTo(r, false, "webgl");
+ }
let canScript = capabilities.has("script");
let blockedTypes;
@@ -419,7 +428,7 @@ var RequestGuard = (() => {
blocker = CSP.createBlocker(...blockedTypes);
}
- if (canScript) {
+ if (canScript && !isObject) {
if (!capabilities.has("webgl")) {
RequestUtil.executeOnStart(request, {
file: "/content/webglHook.js"
@@ -427,7 +436,7 @@ var RequestGuard = (() => {
}
if (!capabilities.has("media")) {
RequestUtil.executeOnStart(request, {
- code: "window.mediaBlocker = correctFrame();"
+ code: "window.mediaBlocker = true;"
});
}
diff --git a/src/bg/RequestUtil.js b/src/bg/RequestUtil.js
index 690d7ba..a5af09e 100644
--- a/src/bg/RequestUtil.js
+++ b/src/bg/RequestUtil.js
@@ -24,14 +24,13 @@
let scripts = pendingScripts.get(requestId);
if (!scripts) return -1;
pendingScripts.delete(requestId);
-
- let where = type === "object" ? {allFrames: true} : {frameId};
let count = 0;
let run = async details => {
details = Object.assign({
runAt: "document_start",
matchAboutBlank: true,
- }, details, where);
+ frameId
+ }, details);
try {
let res;
for (let attempts = 10; attempts-- > 0;) {
@@ -49,17 +48,14 @@
error(e, "Execute on start failed", url, details);
}
};
-
- await run({code: `void(window.correctFrame = () => "${url}" === document.URL && document.readyState === "loading")`});
await Promise.all([...scripts.values()].map(run));
- await run({code: `void(window.correctFrame = () => false)`});
return count;
};
{
let filter = {
urls: ["<all_urls>"],
- types: ["main_frame", "sub_frame", "object"]
+ types: ["main_frame", "sub_frame"]
};
let wr = browser.webRequest;
for (let event of ["onCompleted", "onErrorOccurred"]) {
@@ -81,7 +77,7 @@
executeOnStart(request, details) {
let {requestId, url, tabId, frameId, statusCode, type} = request;
- if (statusCode >= 300 && statusCode < 400) return;
+ if (statusCode >= 300 && statusCode < 400 || type === "object") return;
if (frameId === 0) {
let key = tabKey(tabId, url);
debug("Checking whether %s is a reloading tab...", key);
diff --git a/src/content/content.js b/src/content/content.js
index dd847f0..aea705e 100644
--- a/src/content/content.js
+++ b/src/content/content.js
@@ -100,8 +100,8 @@ async function init(oldPage = false) {
}
queryingCanScript = true;
- debug(`init() called in document %s, contentType %s readyState %s`,
- document.URL, document.contentType, document.readyState);
+ debug(`init() called in document %s, contentType %s readyState %s, frameElement %o`,
+ document.URL, document.contentType, document.readyState, window.frameElement && frameElement.data);
try {
let {canScript, shouldScript} = await browser.runtime.sendMessage({type: "canScript"});
diff --git a/src/content/media.js b/src/content/media.js
index ead6e05..5a6827a 100644
--- a/src/content/media.js
+++ b/src/content/media.js
@@ -1,4 +1,4 @@
-if (correctFrame()) {
+{
debug("Media Hook (blocked %s)", !!window.mediaBlocker, document.URL, document.documentElement && document.documentElement.innerHTML);
(() => {
let unpatched = new Map();
diff --git a/src/content/webglHook.js b/src/content/webglHook.js
index 39637e2..171ce59 100644
--- a/src/content/webglHook.js
+++ b/src/content/webglHook.js
@@ -1,4 +1,4 @@
-if (correctFrame()) {
+{
debug("WebGL Hook", document.URL, document.documentElement && document.documentElement.innerHTML);
let proto = HTMLCanvasElement.prototype;
let getContext = proto.getContext;