summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/bg/ChildPolicies.js25
-rw-r--r--src/common/Policy.js2
-rw-r--r--src/content/content.js8
-rw-r--r--src/content/staticNS.js21
4 files changed, 38 insertions, 18 deletions
diff --git a/src/bg/ChildPolicies.js b/src/bg/ChildPolicies.js
index 7f94ce0..7df3253 100644
--- a/src/bg/ChildPolicies.js
+++ b/src/bg/ChildPolicies.js
@@ -56,7 +56,7 @@
let protocolRx = /^(\w+):/i;
let pathRx = /(?:[^:/]\/|:\/{3})$/;
let portRx = /:\d+(?=\/|$)/;
- let validMatchPatternRx = /^(?:\*|(?:http|ws|ftp)s?|file):\/\/(?:\*|(?:\*\.)?[\w\u0100-\uf000][\w\u0100-\uf000.-]*)?\/(\*|[^*]*)$/;
+ let validMatchPatternRx = /^(?:\*|(?:http|ws|ftp)s?|file):\/\/(?:\*|(?:\*\.)?[\w\u0100-\uf000][\w\u0100-\uf000.-]*|\[[\w:]+\])?\/(\*|[^*]*)$/;
let validMatchPattern = mp => validMatchPatternRx.test(mp);
@@ -67,23 +67,30 @@
mp = Sites.cleanUrl(mp);
if (!mp) return false;
} else {
- let protocol = Sites.isSecureDomainKey(site) ? "https://" : "*://";
- mp = `${protocol}*`;
+ mp = Sites.isSecureDomainKey(site) ? "https://" : "*://";
let hostname = Sites.toggleSecureDomainKey(site, false).replace(portRx, '');
if (hostname && hostname !== ".") {
- if (!tld.preserveFQDNs) hostname = tld.normalize(hostname);
- mp += hostname.startsWith(".") ? hostname : `.${hostname}`;
+ if (tld.isIp(hostname) || hostname.includes("*")) {
+ mp += hostname;
+ } else {
+ if (!tld.preserveFQDNs) hostname = tld.normalize(hostname);
+ mp += hostname.startsWith(".") ? `*${hostname}` : `*.${hostname}`;
+ }
+ } else {
+ mp += "*";
}
if (!(hostname && hostname.includes("/"))) mp += "/";
}
- return validMatchPatternRx.test(mp) && (
- mp.endsWith("/") ? `${mp}*` : [mp, `${mp}?*`, `${mp}#*`]);
+ return validMatchPattern(mp) &&
+ (mp.endsWith("/") ? `${mp}*` : [mp, `${mp}?*`, `${mp}#*`]);
};
let withFQDNs = patterns => {
- return tld.preserveFQDNs ? patterns : patterns.concat(
- patterns.map(p => p.replace(/^(?:\w+|\*):\/\/[^/]*[^.*/]/, '$&.')
+ if (tld.preserveFQDNs) return patterns;
+ let rx = /^(?:\w+|\*):\/\/([^/]*[^.*/])/;
+ return patterns.concat(
+ patterns.map(p => p.replace(rx, (m, host) => tld.isIp(host) ? m : m + ".")
).filter(validMatchPattern)
);
}
diff --git a/src/common/Policy.js b/src/common/Policy.js
index 37bd164..55e9ad1 100644
--- a/src/common/Policy.js
+++ b/src/common/Policy.js
@@ -11,7 +11,7 @@ var {Permissions, Policy, Sites} = (() => {
class Sites extends Map {
static secureDomainKey(domain) {
- return domain.includes(":") ? domain : `${SECURE_DOMAIN_PREFIX}${domain}`;
+ return /^[ยง\w]+:/.test(domain) ? domain : `${SECURE_DOMAIN_PREFIX}${domain}`;
}
static isSecureDomainKey(domain) {
return domain.startsWith(SECURE_DOMAIN_PREFIX);
diff --git a/src/content/content.js b/src/content/content.js
index fc76906..dc493c2 100644
--- a/src/content/content.js
+++ b/src/content/content.js
@@ -49,15 +49,9 @@ var notifyPage = async () => {
if (document.readyState === "complete") {
try {
if (!("canScript" in ns)) {
- let childPolicy = await Messages.send("fetchChildPolicy", {url: document.URL});
- if (!childPolicy) {
- debug(`No answer to fetchChildPolicy message. This should not be happening.`);
- return;
- }
- ns.setup(childPolicy.permissions, childPolicy.MARKER);
+ ns.fetchPolicy();
return;
}
-
await Messages.send("pageshow", {seen: seen.list, canScript: ns.canScript});
return true;
} catch (e) {
diff --git a/src/content/staticNS.js b/src/content/staticNS.js
index 6179da0..4e192b8 100644
--- a/src/content/staticNS.js
+++ b/src/content/staticNS.js
@@ -33,7 +33,17 @@
backlog.add(eventName);
},
- setup(permissions, MARKER) {
+ async fetchPolicy() {
+ let policy = await Messages.send("fetchChildPolicy", {url: document.URL});
+ if (!policy) {
+ debug(`No answer to fetchChildPolicy message. This should not be happening.`);
+ return false;
+ }
+ this.setup(policy.permissions, policy.MARKER, true);
+ return true;
+ },
+
+ setup(permissions, MARKER, fetched = false) {
this.config.permissions = permissions;
// ugly hack: since now we use registerContentScript instead of the
@@ -75,6 +85,15 @@
this.capabilities = Object.assign(
new Set(["script"]), { has() { return true; } });
} else {
+ if (!fetched) {
+ let hostname = window.location.hostname;
+ if (hostname && hostname.startsWith("[")) {
+ // WebExt match patterns don't seem to support IPV6 (Firefox 63)...
+ debug("Ignoring child policy setup parameters for IPV6 address %s, forcing IPC...", hostname);
+ this.fetchPolicy();
+ return;
+ }
+ }
let perms = this.config.permissions;
this.capabilities = new Set(perms.capabilities);
new DocumentCSP(document).apply(this.capabilities, this.embeddingDocument);